USING AT-TLS AND RESETCIPHERTIMER SET TO A NON ZERO VALUE CAN
CAUSE ABEND 0C4
APAR Identifier ...... PI06358 Last Changed ........ 14/06/17
USING AT-TLS AND RESETCIPHERTIMER SET TO A NON ZERO VALUE CAN
CAUSE ABEND 0C4
Symptom ...... AB ABENDxxx Status ........... CLOSED PER
Severity ................... 2 Date Closed ......... 13/11/24
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 630 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Parent APAR: OA42741
Child APAR list:
ERROR DESCRIPTION:
Using AT-TLS and ResetCipherTimer set to a non zero value has
caused 0C4 ABENDs.
LOCAL FIX:
Set the ResetCipherTimer to zero and restart all of the
connections.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: Users of cryptographic services in z/VM *
* System SSL. *
****************************************************************
* PROBLEM DESCRIPTION: If using AT-TLS (Application *
* Transparent - Transport Layer *
* Security), an 0C4 abend may occur while *
* doing an TLS renegotiation of an *
* existing client session for which a *
* full handshake is required. Possible *
* reasons for a full handshake are client *
* session id caching not enabled or the *
* client's session id cache entry no *
* longer being in the cache (ie. *
* expiration). *
* *
* While an TLS client session *
* renegotiation is in progress, if the *
* GSK_CONNECT_CIPHER_SPEC attribute is *
* specified on the invocation of the *
* gsk_attribute_get_buffer() API, a -2 *
* length can be returned. For AT-TLS, the *
* returned -2 length value causes storage *
* to be overlayed leading to 0C4 abends. *
* *
* The -2 length value may also occur with *
* any System SSL application that is *
* using the gsk_attribute_get_buffer() *
* API to obtain the *
* GSK_CONNECT_CIPHER_SPEC value while a *
* client TLS renegotiation is in *
* progress. *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
Internally in the System SSL code when a TLS client
renegotiation is in progress, the first byte of the cipher that
was previously negotiated is set to a '\0'.
If the gsk_attribute_get_buffer() API is called with the
GSK_CONNECT_CIPHER_SPEC attribute specified during this time and
2-byte ciphers are in use, the code does a "strlen() - 2" to
calculate the length. In this particular case, the strlen() will
return a zero (0) and the minus 2, results in the
gsk_attribute_get_buffer() API returning the -2 length.
PROBLEM CONCLUSION:
The gsk_attribute_get_buffer() API has been updated to properly
calculate the GSK_CONNECT_CIPHER_SPEC value length. The API will
now return a zero length string and length of 0 (zero).
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS: GSKCMS31 GSKC31 GSKC31F GSKKYMAN GSKMSGA
GSKMSGS GSKSSL GSKSUS31 GSKS31 GSKS31F GSKTRACE
SRLS: NONE
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: