IBM: TCP/IP for VM

SSL SOCKET MAY PREMATURELY CLOSE AT END OF SESSION

 
 APAR Identifier ...... PH01192      Last Changed ........ 18/09/12            
 SSL SOCKET MAY PREMATURELY CLOSE AT END OF SESSION                            
                                                                               
 Symptom ...... IN INCORROUT         Status ........... CLOSED  PER            
 Severity ................... 3      Date Closed ......... 18/09/06            
 Component .......... 5735FAL00      Duplicate of ........                     
 Reported Release ......... 640      Fixed Release ............ 999            
 Component Name TCP/IP FOR Z/VM      Special Notice                            
 Current Target Date ..              Flags                                     
 SCP ...................                                                       
 Platform ............                                                         
                                                                               
 Status Detail: SHIPMENT - Packaged solution is available for                  
                           shipment.                                           
                                                                               
 PE PTF List:                                                                  
                                                                               
 PTF List:                                                                     
 Release 640   : UI58351 available 18/09/12 (1000 )                            
 Release 710   : UI58352 available 18/09/12 (1000 )                            
                                                                               
 Parent APAR:                                                                  
 Child APAR list:                                                              
                                                                               
 ERROR DESCRIPTION:                                                            
 A secure connection may prematurely close when a client or                    
 server follows a close_notify with an immediate RST.                          
                                                                               
 LOCAL FIX:                                                                    
 N/A                                                                           
                                                                               
 PROBLEM SUMMARY:                                                              
 ****************************************************************              
 * USERS AFFECTED: All users of z/VM TCP/IP                     *              
 ****************************************************************              
 * PROBLEM DESCRIPTION:                                         *              
 ****************************************************************              
 * RECOMMENDATION: APPLY PTF                                    *              
 ****************************************************************              
 When a secure connectionn is closed, a close_notify command is                
 issued to close the secure tunnel.  Both sides of the connection              
 issue a close_notify so that they both know when data is                      
 flowing in the clear.  If a client/server doesn't care about                  
 the connection after the close_notify is issued, they may                     
 issue an immediate RST before receiving the close_notify                      
 from the partner.  In this case, the SSL connection to the                    
 partner may be closed before all of the data has been                         
 delivered.                                                                    
                                                                               
 PROBLEM CONCLUSION:                                                           
 The code in TCPUP PASCAL has been modified to check if a RST is               
 being done for one half of an SSL secured connection.  If the                 
 original connection was in the ESTABLISHED state, the RST is                  
 done immediately.  If it is not in the ESTABLISHED state, the                 
 RST is delayed until all of the data has been delivered.                      
                                                                               
 TEMPORARY FIX:                                                                
                                                                               
 COMMENTS:                                                                     
                                                                               
 MODULES/MACROS:                                                               
 CMNETST  FPIPDOW  FPI6DOW  FPNOTIF  FPQUEUE  FPROUND  FPSCHED                 
 FPSOCKRE FPTCPDOW FPTCPREQ FPTCPUP  FPUTIL   F6TCPDOW F6TCPREQ                
 F6TCPUP  TCACB    TCBASTY  TCMIB    TCMON    TCPARSE  TCPEQUAT                
 TCPIP    TCPRINT  TCPSSL   TCPUP    TCQUEUE  TCTCB    TCUTIL                  
                                                                               
 SRLS:                                                                         
 NONE                                                                          
                                                                               
 RTN CODES:                                                                    
                                                                               
 CIRCUMVENTION:                                                                
                                                                               
 MESSAGE TO SUBMITTER: