System SSL Storage Leak When Using GSK_RENEGOTIATION_PEER_CERT_CHECK_ON And No Renegotiated Handshake
APAR Identifier ...... PM81589 Last Changed ........ 13/04/10 SYSTEM SSL STORAGE LEAK WHEN USING GSK_RENEGOTIATION_PEER_CERT_C HECK_ON AND NO RENEGOTIATED HANDSHAKE Symptom ...... IN INCORROUT Status ........... CLOSED PER Severity ................... 3 Date Closed ......... 13/01/29 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 620 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 620 : UK91316 available 13/02/01 (1301 ) Parent APAR: OA40836 Child APAR list: ERROR DESCRIPTION: System SSL can leak storage when GSK_RENEGOTIATION_PEER_CERT_CHE CK is set to ON LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: Users of System SSL with the * * GSK_RENEGOTIATION_PEER_CERT_CHECK option * * set to ON. * **************************************************************** * PROBLEM DESCRIPTION: When performing an SSL V3 or TLS * * handshake with * * GSK_RENEGOTIATION_PEER_CERT_CHECK set * * to ON System SSL may fail to free a * * certificate saved with the intent of * * checking the peer certificate sent to * * establish the secure connection. * * * * This results in increased storage * * consumption which could lead to an out * * of storage condition. * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** If the GSK_RENEGOTIATION_PEER_CERT_CHECK option is set to ON in the event that a renegotiated handshake is attempted System SSL will use the certificate from the existing session to verify that the same certificate is being used to re-establish the current session. The above error may occur after an initial handshake has been completed and the peer certificate was saved in the System SSL session cache. When a subsequent handshake is initiated with the same peer by the client, the server may require a full handshake to be performed. Since this new full handshake is associated with a new connection and not an existing session, checking of the peer certificate will not be performed and the saved certificate will not be freed. PROBLEM CONCLUSION: System SSL has been modified so that the certificate is properly released when the GSK_RENEGOTIATION_PEER_CERT_CHECK option is set to ON and no renegotiation of the current connection has been attempted. TEMPORARY FIX: COMMENTS: **** PE13/04/02 PTF IN ERROR. SEE APAR PM86100 FOR DESCRIPTION MODULES/MACROS: GSKCMS31 GSKC31 GSKC31F GSKKYMAN GSKMSGA GSKMSGS GSKSSL GSKSUS31 GSKS31 GSKS31F GSKTRACE SRLS: NONE RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: