IBM Support

IV03508: SSLSESSIONS INVALIDATED AND CANNOT BE RESUMED.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: Description:  The Server using SSLEngine sends an
    encrypted
    close_notify alert.  If the peer does not respond with its
    close_notify, then a fatal alert of javax.net.ssl.SSLException:
    Inbound closed before receiving peer's close_notify: possible
    truncation attack? is sent.  This causes the SSLSession to be
    invalidated and therefore the SSLSession cannot be resumed.
    .
    Stack Trace: 4488 WebContainer : 5, called closeInbound()
    
    4489 <OSB>27.06.11 13:15:58:906 CEST<CSB> 0000006d SystemOut
    O
    WebContainer : 5, fatal error: 80: Inbound closed before
    receiving peer's close_notify: possible truncation attack?
    4490 javax.net.ssl.SSLException: Inbound closed before receiving
    peer's close_notify: possible truncation attack?
    .
    Performance problem due to SSLSessions not being resumed.
    

Local fix

Problem summary

  • SSLSessions will not be invalidated and will be resumed when
    peer does not send its close_notify.
    

Problem conclusion

  • This defect will be fixed in:
    6.0.0 SR10
    5.0.0 SR13
    6.0.1 SR1
    .
    Since RFC 2246 is vague regarding whether the initiator of the
    close notify needs to wait for the peer to send its
    close_notify, SSLEngine will ignore if it has not received a
    close notify and will just close the inbound connection without
    throwing an exception.  This will allow SSLSessions to be
    resumed.
    .
    To obtain the fix:
    Install build 20110631 or later
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV03508

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-07-25

  • Closed date

    2011-07-25

  • Last modified date

    2011-07-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IV03509

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R600 PSY

       UP

  • R260 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
07 December 2020