IV02633: SSLSESSIONS ARE NOT BEING RESUMED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Component: IBM JSSE2
    
    
    Envt: 6.0 SR7
    
    Description:
    
    The Server using SSLEngine sends an encrypted close_notify
    alert.  If the peer does not respond with its close_notify, then
    a fatal alert of javax.net.ssl.SSLException: Inbound closed
    before receiving peer's close_notify: possible truncation
    attack? is sent.  This causes the SSLSession to be invalidated
    and therefore the SSLSession cannot be resumed.
    
    JVMs affected:
    
    5.0, 6.0 and 6.26
    

Local fix

  • Level 3 to update
    

Problem summary

  • Description:  The Server using SSLEngine sends an encrypted
    close_notify alert.  If the peer does not respond with its
    close_notify, then a fatal alert of javax.net.ssl.SSLException:
    Inbound closed before receiving peer's close_notify: possible
    truncation attack? is sent.  This causes the SSLSession to be
    invalidated and therefore the SSLSession cannot be resumed.
    
    
    4488 WebContainer : 5, called closeInbound()
    4489 [27.06.11 13:15:58:906 CEST] 0000006d SystemOut     O
    WebContainer : 5, fatal error: 80: Inbound closed before
    receiving peer's close_notify: possible truncation attack?
    4490 javax.net.ssl.SSLException: Inbound closed before receiving
    peer's close_notify: possible truncation attack?
    

Problem conclusion

  • Since RFC 2246 is vague regarding whether the initiator of the
    close notify needs to wait for the peer to send its
    close_notify, SSLEngine will ignore if it has not received a
    close notify and will just close the inbound connection without
    throwing an exception.  This will allow SSLSessions to be
    resumed.
    
    IBMJSSEProvider2.jar dated 20110628  -  5.0 SR13, 6.0 sr10
    IBMJSSEProvider2.jar dated 20110629 - 5.0 sr13 and 6.26 sr1
    
    Hursley Defect 182421
    Austin Defect 112172
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV02633

  • Reported component name

    JAVA SECURE SOC

  • Reported component ID

    TIVSECJSS

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-06-28

  • Closed date

    2011-06-29

  • Last modified date

    2011-06-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA SECURE SOC

  • Fixed component ID

    TIVSECJSS

Applicable component levels

  • R100 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Components - Java Security
JSSE

Software version:

100

Reference #:

IV02633

Modified date:

2011-06-29

Translate my page

Machine Translation

Content navigation