IBM Support

PK05440: DURING AN SSL HANDSHAKE, IF MANY SSL PACKET ARE READ INTO THE BUFFER THE SSL CHANNEL DATA WERE OVERWRITTEN.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • During an SSL handshake, if multiple SSL packets are read into
    the same byteBuffer, the SSL channel has a code path where data
    is overwritten.
    
    Test 1
    http call Works as expected.
    
    
    Test 2
    https
    (https://pds-rmasync.nis2.national.ncrs.nhs.uk/reliablemessaging
    /tms)call with no truststore or keystore in system properties
    (keytool)SOAP exception: javax.xml.soap.SOAPException:
    com.ibm.wsspi.channel.framework.exception.ChannelException:
    com.ibm.wsspi.channel.framework.exception.ChannelException:
    Invalid trust file name of null
    [05/05/05 09:02:22:675 BST] 000000b2 SystemOut     O
    java.lang.NullPointerException
                 at
    nhs.nhais.mhs.SOAPClient.send(SOAPClient.java:99)
    
    
    Test 3
    https
    (https://pds-rmasync.nis2.national.ncrs.nhs.uk/reliablemessaging
    /tms)call with only truststore system property (keytool)SOAP
    exception: javax.xml.soap.SOAPException:
    com.ibm.wsspi.channel.framework.exception.ChannelException:
    com.ibm.wsspi.channel.framework.exception.ChannelException: No
    key store specified and no hardware crypto defined
    [05/05/05 09:04:07:175 BST] 000000b3 SystemOut     O
    java.lang.NullPointerException
    
    
    
    Test 4
    https call
    (https://pds-rmasync.nis2.national.ncrs.nhs.uk/reliablemessaging
    /tms)
    with truststore and keystore system property set using keytool
    generated
    keystores
    [05/05/05 09:07:28:084 BST] 000000cf WSChannelFram A
    CHFW0019I: The
    Transport Channel Service has started chain
    httpclient-https-chain:pds-rmasync.nis2.national.ncrs.nhs.uk:443
    :/usr/ke
    ystore/nhsstore.
    [05/05/05 09:07:28:116 BST] 000000cf WSChannelFram A
    CHFW0019I: The
    Transport Channel Service has started chain
    httpclient-https-chain:pds-rmasync.nis2.national.ncrs.nhs.uk:443
    :/usr/ke
    ystore/nhsstore.
    [05/05/05 09:09:26:713 BST] 00000015 TimeoutManage I
    WTRN0006W:
    Transaction
    00000103ABE514EF0000000100000021140442B15C53BEB0E6551AB0D325A3DE
    AEB51248
    00000103ABE514EF0000000100000021140442B15C53BEB0E6551AB0D325A3DE
    AEB51248
    00000001 has timed out after 120 seconds.
    
    
    Test 5
    Https call (https://nww.diabetes.nhsia.nhs.uk/)(no client
    authentication required).with trust store / keystore set using
    keytool about to send.
    [05/05/05 09:42:29:657 BST] 000000bd WSChannelFram A
    CHFW0019I: The
    Transport Channel Service has started chain
    httpclient-https-chain:nww.diabetes.nhsia.nhs.uk:443:/usr/keysto
    re/nhsstore.
    [05/05/05 09:42:29:664 BST] 000000bd WSChannelFram A
    CHFW0019I: The
    Transport Channel Service has started chain
    httpclient-https-chain:nww.diabetes.nhsia.nhs.uk:443:/usr/keysto
    re/nhsstore.
    [05/05/05 09:42:30:186 BST] 000000bd SystemOut     O
    SOAP exception: javax.xml.soap.SOAPException:
    javax.net.ssl.SSLException: Handshake terminated SSL engine:
    CLOSED
    
    
    
    Test 6
    https call (https://nww.diabetes.nhsia.nhs.uk/) (no client
    authentication required) with ikeyman generated keystore
    (keystore.jks)and truststore.jks [05/05/05 09:47:58:261 BST]
    000000b4 SystemOut     O about to send. [05/05/05 09:47:58:382
    BST] 000000b4 WSChannelFram A   CHFW0019I: The
    Transport Channel Service has started chain
    httpclient-https-chain:nww.diabetes.nhsia.nhs.uk:443:/usr/keysto
    re/keystore.jks.
    [05/05/05 09:47:58:391 BST] 000000b4 WSChannelFram A
    CHFW0019I: The
    Transport Channel Service has started chain
    httpclient-https-chain:nww.diabetes.nhsia.nhs.uk:443:/usr/keysto
    re/keystore.jks.
    [05/05/05 09:47:58:528 BST] 000000b4 SystemOut     O
    SOAP exception: javax.xml.soap.SOAPException:
    java.lang.StringIndexOutOfBoundsException: String index out of
    range: -2
    [05/05/05 09:47:58:529 BST] 000000b4 SystemOut     O
    java.lang.NullPointerException
    at nhs.nhais.mhs.SOAPClient.send(SOAPClient.java:102)
    
    
    Expected result as this url does not host a web service and this
    line
    (102) refers to SOAPMessage.getSOAPBody()
    

Local fix

  • APAR required
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: WebSphere Application Server version 6 users *
    *                 of the SSL channel for outbound connections. *
    ****************************************************************
    * PROBLEM DESCRIPTION: If the SSL handshake involves multiple  *
    *                      reads, then there is data corruption    *
    *                      and the handshake fails, usually with   *
    *                      a NullPointerException.                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    On secondary reads for handshake response data, the return
    information is overlapping with the first information read.
    This leads to errors in the JSSE engine, which then lead to
    errors in the SSL channel itself.
    

Problem conclusion

  • The buffer management has been fixed to handle multiple reads
    ocurring during the SSL handshake sequence.
    
    
    The fix for this APAR is currently targeted for inclusion
    in 6.0.2.
    Please refer to the recommended updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK05440

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    60I

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2005-05-09

  • Closed date

    2005-06-15

  • Last modified date

    2005-06-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • CHANNEL
    

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R60A PSY

       UP

  • R60H PSY

       UP

  • R60I PSY

       UP

  • R60P PSY

       UP

  • R60S PSY

       UP

  • R60W PSY

       UP

  • R60Z PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
19 October 2021