IBM Support

IV37330: SSLENGINE SHOULD THROW EXCEPTION WHEN KEY SIZE IS INVALID.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: When key size is invalid during key exchange for
    SSLEngine, exception should be thrown to notice client&server.
    Below is the information from the customer:
    >>>>>>
    Since SSLKeyException is a sub-class of IOException we would
    eventually handle it and print it out somewhere. However, in
    what I saw there would have been no SSLKeyException thrown. We
    are reading the status on the SSLEngine and doing as we are
    asked here:          <OSB>1/29/13 12:25:29:631 EST<CSB> 00000041
    SSLUtils      3   Get ready to decrypt data, netBuf:
    hc=2142338993 pos=0 lim=24576 cap=24576        In this case it's
    attempting to read for more data. Had an exception happened we
    wouldn't have gotten to this point.
    <<<<<<
    This issue can only be reproduced with restricted policy file.
    .
    Stack Trace: N/A
    .
    

Local fix

Problem summary

  • When exception happens during handshake for SSLEngine, the
    exception message will be saved in member "thrown" in Handshaker
    class.
    "thrown" is a private Exception, and there is no public
    interface/method to access it.
    The only way to detect the exception it is to call wrap() or
    unwrap() from the application level.
    

Problem conclusion

  • This defect will be fixed in:
    7.0.0 SR4FP1
    6.0.1 SR5FP1
    6.0.0 SR13FP1
    5.0.0 SR16FP1
    .
    Use fatalSE() to terminate the handshake when exception happens
    for SSLEngine.
    The associated Austin CMVC defect 113536.
    The associated Hursley CMVC defect 196264.
    The fix was delivered for Java 5.0 SR16FP1, Java 6.0 SR13FP1,
    Java 6.26 SR5FP1, and Java 7.0 SR4FP1.
    The fix will be available in ibmjsseprovider2.jar (level
    20130221).
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV37330

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    260

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-02-27

  • Closed date

    2013-03-11

  • Last modified date

    2013-03-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IV37331

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R260 PSY

       UP

  • R600 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
07 December 2020