TCPIP ASSERTION ERRORS AND LOSS OF SSL CONNECTIVITY
APAR Identifier ...... PM77039 Last Changed ........ 13/12/30
TCPIP ASSERTION ERRORS AND LOSS OF SSL CONNECTIVITY
Symptom ...... IN INCORROUT Status ........... CLOSED PER
Severity ................... 2 Date Closed ......... 13/03/04
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 540 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice HIPER
Current Target Date .. Flags
SCP ................... FUNCTIONLOSS
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 540 : UK92193 available 13/03/06 (1301 )
Release 610 : UK92194 available 13/03/06 (1000 )
Release 620 : UK92195 available 13/03/06 (1302 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
When being probed by port scanning software, the following
assertion errors may appear on the TCPIP console, followed
by a loss of SSL connectivity. Non-secure telnet sessions
work, but secured connections do not.
.
AMPX036I ASSERTION FAILURE CHECKING ERROR
TRACE BACK OF CALLED ROUTINES
ROUTINE STMT AT ADDRESS IN MODULE
SKSSLCON 49 00D018E8 TCPSSL
DOSSLCONNECT 14 00DDACB4 SOCKREQ
DOBINDORCONNECT 14 00DDAE3E SOCKREQ
SPROCESSPENDMSG 86 00DDD1E4 SOCKREQ
SockRequ 170 00E17C1C
Schedule 2082 00CD1F14
<MAIN-PROGRAM> 14 00C0C1FE TCPIP
VSPASCAL 00E47DF2
LOCAL FIX:
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All users of the z/VM TCP/IP SSL (Secure *
* Socket Layer) server that do dynamic *
* SSL/TLS (Transport Layer Security) *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
When being probed by port scanning software, the following
assertion errors may appear on the TCPIP console, followed
by a loss of SSL connectivity. Non-secure telnet sessions
work, but secured connections do not.
.
AMPX036I ASSERTION FAILURE CHECKING ERROR
TRACE BACK OF CALLED ROUTINES
ROUTINE STMT AT ADDRESS IN MODULE
SKSSLCON 49 00D018E8 TCPSSL
DOSSLCONNECT 14 00DDACB4 SOCKREQ
DOBINDORCONNECT 14 00DDAE3E SOCKREQ
SPROCESSPENDMSG 86 00DDD1E4 SOCKREQ
SockRequ 170 00E17C1C
Schedule 2082 00CD1F14
<MAIN-PROGRAM> 14 00C0C1FE TCPIP
VSPASCAL 00E47DF2
PROBLEM CONCLUSION:
In part TCPSSL PASCAL, both the SkSslAcc routine (which
handles accept processing) and the SkSslCon routine (which
handles connect processing) have been updated in order to
better handle this error condition. The code will now detect
that it has no pointer to the SSL TCB and will fail the
connection attempt from the port scanner cleanly, rather
than just put out an assertion error and continue on
(which was eventually causing all future secure connection
attempts to fail.) With these updates, the code will also
display one of two new error messages (documented below) to
the TCPIP console log any time this error occurs.
.
---------------------------------------------------------------
.
The two new error messages will be documented in Chapter 19
(TCP/IP Server Messages), Section 19.2 (Numbered Messages)
of the TCP/IP Messages and Codes manual (SRL GC24-6237-03)
as follows:
.
DTCSSL055I SkSslAcc: TCB #1001 (AcceptTcb) has SslServ=nil,
connection will be rejected
.
EXPLANATION: An error occurred while TCP/IP was trying to
accept a secure connection (possibly due to
the client abruptly terminating the connection
during secure handshake processing).
.
SYSTEM ACTION: TCP/IP fails the connection attempt. TCP/IP
continues.
.
SYSTEM PROGRAMMER RESPONSE: None.
-------------------------------------------------------------
DTCSSL056E SkSslCon: TCB #1006 (SSL_OrigTcb) has SslServ=nil,
connection will be rejected
.
EXPLANATION: An error occurred while TCP/IP was processing
a secure connection attempt (possibly due to
the client abruptly terminating the connection
during secure handshake processing).
.
SYSTEM ACTION: TCP/IP fails the connection attempt. TCP/IP
continues.
.
SYSTEM PROGRAMMER RESPONSE: None.
TEMPORARY FIX:
*********
* HIPER *
*********
COMMENTS:
MODULES/MACROS: MSTCP TCPSSL
SRLS: GC24623703
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: