USING AT-TLS AND RESETCIPHERTIMER SET TO A NON ZERO VALUE CAN CAUSE ABEND 0C4
APAR Identifier ...... PI06358 Last Changed ........ 14/06/17 USING AT-TLS AND RESETCIPHERTIMER SET TO A NON ZERO VALUE CAN CAUSE ABEND 0C4 Symptom ...... AB ABENDxxx Status ........... CLOSED PER Severity ................... 2 Date Closed ......... 13/11/24 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 630 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Parent APAR: OA42741 Child APAR list: ERROR DESCRIPTION: Using AT-TLS and ResetCipherTimer set to a non zero value has caused 0C4 ABENDs. LOCAL FIX: Set the ResetCipherTimer to zero and restart all of the connections. PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: Users of cryptographic services in z/VM * * System SSL. * **************************************************************** * PROBLEM DESCRIPTION: If using AT-TLS (Application * * Transparent - Transport Layer * * Security), an 0C4 abend may occur while * * doing an TLS renegotiation of an * * existing client session for which a * * full handshake is required. Possible * * reasons for a full handshake are client * * session id caching not enabled or the * * client's session id cache entry no * * longer being in the cache (ie. * * expiration). * * * * While an TLS client session * * renegotiation is in progress, if the * * GSK_CONNECT_CIPHER_SPEC attribute is * * specified on the invocation of the * * gsk_attribute_get_buffer() API, a -2 * * length can be returned. For AT-TLS, the * * returned -2 length value causes storage * * to be overlayed leading to 0C4 abends. * * * * The -2 length value may also occur with * * any System SSL application that is * * using the gsk_attribute_get_buffer() * * API to obtain the * * GSK_CONNECT_CIPHER_SPEC value while a * * client TLS renegotiation is in * * progress. * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** Internally in the System SSL code when a TLS client renegotiation is in progress, the first byte of the cipher that was previously negotiated is set to a '\0'. If the gsk_attribute_get_buffer() API is called with the GSK_CONNECT_CIPHER_SPEC attribute specified during this time and 2-byte ciphers are in use, the code does a "strlen() - 2" to calculate the length. In this particular case, the strlen() will return a zero (0) and the minus 2, results in the gsk_attribute_get_buffer() API returning the -2 length. PROBLEM CONCLUSION: The gsk_attribute_get_buffer() API has been updated to properly calculate the GSK_CONNECT_CIPHER_SPEC value length. The API will now return a zero length string and length of 0 (zero). TEMPORARY FIX: COMMENTS: MODULES/MACROS: GSKCMS31 GSKC31 GSKC31F GSKKYMAN GSKMSGA GSKMSGS GSKSSL GSKSUS31 GSKS31 GSKS31F GSKTRACE SRLS: NONE RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: