PEPK97438 SSL SESSIONS NOT CLOSED DUE TO UNEXPECTED DATA
APAR Identifier ...... PM40046 Last Changed ........ 11/12/20
PEPK97438 SSL SESSIONS NOT CLOSED DUE TO UNEXPECTED DATA
Symptom ...... IN INCORROUT Status ........... CLOSED PER
Severity ................... 3 Date Closed ......... 11/06/20
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 540 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date ..11/08/20 Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 540 : UK68939 available 11/06/20 (1102 )
Release 610 : UK68940 available 11/06/20 (1102 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
After use of a LOGOFF command within a secured Telnet session,
the subject client emulator session is seen to hang. When this
situation occurs, the SSL server likely reports the following
error:
DTCSSL107E Internal error: unexpected data (8 bytes:
"xxxxxxxx") from SSL socket read while shutdown:
expected "CONN CLOSED"
The reported data (xxxxxxxx) can vary, but is most often
similar to "'3&"3& " (where some data cannot be displayed).
A comparison of NETSTAT CONN results (acquired when the
connection is established, then after the LOGOFF command has
been processed) shows the (Telnet) SSL server-to-application
connection as closed, while the SSL server-to-client (emulator
host) connection remains in place.
LOCAL FIX:
None.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: Users of some 3270 Emulator products, *
* namely those that fail to cleanly shut down *
* the SSL session when shutdown is initiated *
* from the server side of a secure connection. *
****************************************************************
* PROBLEM DESCRIPTION: When a user types 'LOGOFF' in the *
* terminal emulator during an SSL telnet *
* session, and the Telnet server *
* terminates the connection, the SSL *
* server tries to shutdown the SSL *
* session, waits for the client to *
* acknowledge the SSL shutdown, and then *
* terminates the TCP session. If the *
* terminal emulator fails to acknowledge *
* the SSL shutdown, the TCP session *
* between the emulator and the VM SSL *
* server remains active, and appears *
* "hung" to the user. The user sees the *
* last text sent by the Telnet server *
* (which happens to be "Press ENTER or *
* any key to continue") on the screen, *
* but there is no reaction to key *
* presses. At this point, a "Disconnect" *
* operation in the emulator will clean *
* up this condition. *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
The SSL server fails to terminate sessions with 3270 emulators
which fail to acknowledge the SSL shutdown request.
PROBLEM CONCLUSION:
This APAR is a PE of PK97438.
The SSL server code was changed in such a way that if the local
application (Telnet server) closes the connection, shutdown of
the SSL session is performed immediately, without waiting for
the remote party to acknowledge the shutdown. The TCP session
then is closed immediately as well. For the described problem,
these changes make the connection close behavior of the SSL
server comparable with that of prior levels of the server.
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS: SSLGSKCF SSLSERV
SRLS: NONE
RTN CODES:
CIRCUMVENTION:
Disconnecting the session in the terminal emulator (e.g.
pressing a "Disconnect" button) should return the emulator
and connections to their proper state.
MESSAGE TO SUBMITTER: