IBM: TCP/IP for VM

System SSL Storage Leak When Using GSK_RENEGOTIATION_PEER_CERT_CHECK_ON And No Renegotiated Handshake

 
 APAR Identifier ...... PM81589      Last Changed ........ 13/04/10
 SYSTEM SSL STORAGE LEAK WHEN USING GSK_RENEGOTIATION_PEER_CERT_C
 HECK_ON AND NO RENEGOTIATED HANDSHAKE
 
 Symptom ...... IN INCORROUT         Status ........... CLOSED  PER
 Severity ................... 3      Date Closed ......... 13/01/29
 Component .......... 5735FAL00      Duplicate of ........
 Reported Release ......... 620      Fixed Release ............ 999
 Component Name TCP/IP V2 FOR V      Special Notice
 Current Target Date ..              Flags
 SCP ...................
 Platform ............
 
 Status Detail: SHIPMENT - Packaged solution is available for
                           shipment.
 
 PE PTF List:
 
 PTF List:
 Release 620   : UK91316 available 13/02/01 (1301 )
 
 Parent APAR:    OA40836
 Child APAR list:
 
 ERROR DESCRIPTION:
 System SSL can leak storage when GSK_RENEGOTIATION_PEER_CERT_CHE
 CK is set to ON
 
 LOCAL FIX:
 
 PROBLEM SUMMARY:
 ****************************************************************
 * USERS AFFECTED: Users of System SSL with the                 *
 *                 GSK_RENEGOTIATION_PEER_CERT_CHECK option     *
 *                 set to ON.                                   *
 ****************************************************************
 * PROBLEM DESCRIPTION: When performing an SSL V3 or TLS        *
 *                      handshake with                          *
 *                      GSK_RENEGOTIATION_PEER_CERT_CHECK set   *
 *                      to ON System SSL may fail to free a     *
 *                      certificate saved with the intent of    *
 *                      checking the peer certificate sent to   *
 *                      establish the secure connection.        *
 *                                                              *
 *                      This results in increased storage       *
 *                      consumption which could lead to an out  *
 *                      of storage condition.                   *
 ****************************************************************
 * RECOMMENDATION: APPLY PTF                                    *
 ****************************************************************
 If the GSK_RENEGOTIATION_PEER_CERT_CHECK option is set to ON in
 the event that a renegotiated handshake is attempted System SSL
 will use the certificate from the existing session to verify
 that the same certificate is being used to re-establish the
 current session.
 
 The above error may occur after an initial handshake has been
 completed and the peer certificate was saved in the System SSL
 session cache.
 
 When a subsequent handshake is initiated with the same peer by
 the client, the server may require a full handshake to be
 performed. Since this new full handshake is associated with a
 new connection and not an existing session, checking of the peer
 certificate will not be performed and the saved certificate will
 not be freed.
 
 PROBLEM CONCLUSION:
 System SSL has been modified so that the certificate is properly
 released when the GSK_RENEGOTIATION_PEER_CERT_CHECK option is
 set to ON and no renegotiation of the current connection has
 been attempted.
 
 TEMPORARY FIX:
 
 COMMENTS:
  **** PE13/04/02 PTF IN ERROR. SEE APAR PM86100  FOR DESCRIPTION
 
 MODULES/MACROS:   GSKCMS31 GSKC31   GSKC31F  GSKKYMAN GSKMSGA
 GSKMSGS  GSKSSL   GSKSUS31 GSKS31   GSKS31F  GSKTRACE
 
 SRLS:      NONE
 
 RTN CODES:
 
 CIRCUMVENTION:
 
 MESSAGE TO SUBMITTER: