IV03509: SSLSESSIONS INVALIDATED AND CANNOT BE RESUMED.

APAR status

• Closed as program error.

Error description

• Error Message: Description:  The Server using SSLEngine sends an
  encrypted
  close_notify alert.  If the peer does not respond with its
  close_notify, then a fatal alert of javax.net.ssl.SSLException:
  Inbound closed before receiving peer's close_notify: possible
  truncation attack? is sent.  This causes the SSLSession to be
  invalidated and therefore the SSLSession cannot be resumed.
  .
  Stack Trace: 4488 WebContainer : 5, called closeInbound()
  
  4489 <OSB>27.06.11 13:15:58:906 CEST<CSB> 0000006d SystemOut
  O
  WebContainer : 5, fatal error: 80: Inbound closed before
  receiving peer's close_notify: possible truncation attack?
  4490 javax.net.ssl.SSLException: Inbound closed before receiving
  peer's close_notify: possible truncation attack?
  .
  Performance problem due to SSLSessions not being resumed.
  

Local fix

Problem summary

• SSLSessions will not be invalidated and will be resumed when
  peer does not send its close_notify.
  

Problem conclusion

• This defect will be fixed in:
  6.0.0 SR10
  5.0.0 SR13
  6.0.1 SR1
  .
  Since RFC 2246 is vague regarding whether the initiator of the
  close notify needs to wait for the peer to send its
  close_notify, SSLEngine will ignore if it has not received a
  close notify and will just close the inbound connection without
  throwing an exception.  This will allow SSLSessions to be
  resumed.
  .
  To obtain the fix:
  Install build 20110631 or later
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  IV03508

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  JAVA 5 SECURITY

• Fixed component ID

  620500125

Applicable component levels

• R500 PSY

     UP