TCPIP ASSERTION ERRORS AND LOSS OF SSL CONNECTIVITY
APAR Identifier ...... PM77039 Last Changed ........ 13/12/30 TCPIP ASSERTION ERRORS AND LOSS OF SSL CONNECTIVITY Symptom ...... IN INCORROUT Status ........... CLOSED PER Severity ................... 2 Date Closed ......... 13/03/04 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 540 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice HIPER Current Target Date .. Flags SCP ................... FUNCTIONLOSS Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 540 : UK92193 available 13/03/06 (1301 ) Release 610 : UK92194 available 13/03/06 (1000 ) Release 620 : UK92195 available 13/03/06 (1302 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: When being probed by port scanning software, the following assertion errors may appear on the TCPIP console, followed by a loss of SSL connectivity. Non-secure telnet sessions work, but secured connections do not. . AMPX036I ASSERTION FAILURE CHECKING ERROR TRACE BACK OF CALLED ROUTINES ROUTINE STMT AT ADDRESS IN MODULE SKSSLCON 49 00D018E8 TCPSSL DOSSLCONNECT 14 00DDACB4 SOCKREQ DOBINDORCONNECT 14 00DDAE3E SOCKREQ SPROCESSPENDMSG 86 00DDD1E4 SOCKREQ SockRequ 170 00E17C1C Schedule 2082 00CD1F14 <MAIN-PROGRAM> 14 00C0C1FE TCPIP VSPASCAL 00E47DF2 LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All users of the z/VM TCP/IP SSL (Secure * * Socket Layer) server that do dynamic * * SSL/TLS (Transport Layer Security) * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** When being probed by port scanning software, the following assertion errors may appear on the TCPIP console, followed by a loss of SSL connectivity. Non-secure telnet sessions work, but secured connections do not. . AMPX036I ASSERTION FAILURE CHECKING ERROR TRACE BACK OF CALLED ROUTINES ROUTINE STMT AT ADDRESS IN MODULE SKSSLCON 49 00D018E8 TCPSSL DOSSLCONNECT 14 00DDACB4 SOCKREQ DOBINDORCONNECT 14 00DDAE3E SOCKREQ SPROCESSPENDMSG 86 00DDD1E4 SOCKREQ SockRequ 170 00E17C1C Schedule 2082 00CD1F14 <MAIN-PROGRAM> 14 00C0C1FE TCPIP VSPASCAL 00E47DF2 PROBLEM CONCLUSION: In part TCPSSL PASCAL, both the SkSslAcc routine (which handles accept processing) and the SkSslCon routine (which handles connect processing) have been updated in order to better handle this error condition. The code will now detect that it has no pointer to the SSL TCB and will fail the connection attempt from the port scanner cleanly, rather than just put out an assertion error and continue on (which was eventually causing all future secure connection attempts to fail.) With these updates, the code will also display one of two new error messages (documented below) to the TCPIP console log any time this error occurs. . --------------------------------------------------------------- . The two new error messages will be documented in Chapter 19 (TCP/IP Server Messages), Section 19.2 (Numbered Messages) of the TCP/IP Messages and Codes manual (SRL GC24-6237-03) as follows: . DTCSSL055I SkSslAcc: TCB #1001 (AcceptTcb) has SslServ=nil, connection will be rejected . EXPLANATION: An error occurred while TCP/IP was trying to accept a secure connection (possibly due to the client abruptly terminating the connection during secure handshake processing). . SYSTEM ACTION: TCP/IP fails the connection attempt. TCP/IP continues. . SYSTEM PROGRAMMER RESPONSE: None. ------------------------------------------------------------- DTCSSL056E SkSslCon: TCB #1006 (SSL_OrigTcb) has SslServ=nil, connection will be rejected . EXPLANATION: An error occurred while TCP/IP was processing a secure connection attempt (possibly due to the client abruptly terminating the connection during secure handshake processing). . SYSTEM ACTION: TCP/IP fails the connection attempt. TCP/IP continues. . SYSTEM PROGRAMMER RESPONSE: None. TEMPORARY FIX: ********* * HIPER * ********* COMMENTS: MODULES/MACROS: MSTCP TCPSSL SRLS: GC24623703 RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: