TCPIP Assertion Errors and Loss of SSL Connectivity
APAR Identifier ...... PM90851 Last Changed ........ 15/02/16
TCPIP ASSERTION ERRORS FOLLOWED BY LOSS OF SSL CONNECTIVITY
Symptom ...... IN INCORROUT Status ........... CLOSED PER
Severity ................... 2 Date Closed ......... 13/06/25
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 630 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 630 : UK95468 available 15/01/07 (1501 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
When being probed by port scanning software, the following
assertion error may appear on the TCPIP console, followed
by a loss of SSL connectivity. Non-secure telnet sessions
continue to work, but secure connections do not.
.
AMPX036I ASSERTION FAILURE CHECKING ERROR
TRACE BACK OF CALLED ROUTINES
ROUTINE STMT AT ADDRESS IN MODULE
VSKSSLCON 56 00D0193E T6PSSL
VDOSSLCONNECT 14 00E2DC9A T6SOCKREQ
VDOBINDORCONNECT 14 00E2DE22 T6SOCKREQ
VSPROCESSPENDMSG 83 00E2F118 T6SOCKREQ
SPROCESSPENDMSG 8 00DDBEE0 SOCKREQ
SockRequ 170 00E16F24
Schedule 2082 00CCDB64
<MAIN-PROGRAM> 14 00C081FE TCPIP
VSPASCAL 00E47702
LOCAL FIX:
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All users of the z/VM TCP/IP SSL (Secure *
* Socket Layer) server that do dynamic *
* SSL/TLS (Transport Layer Security) *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
When being probed by port scanning software, the following
assertion error may appear on the TCPIP console, followed
by a loss of SSL connectivity. Non-secure telnet sessions
continue to work, but secure connections do not.
.
AMPX036I ASSERTION FAILURE CHECKING ERROR
TRACE BACK OF CALLED ROUTINES
ROUTINE STMT AT ADDRESS IN MODULE
VSKSSLCON 56 00D0193E T6PSSL
VDOSSLCONNECT 14 00E2DC9A T6SOCKREQ
VDOBINDORCONNECT 14 00E2DE22 T6SOCKREQ
VSPROCESSPENDMSG 83 00E2F118 T6SOCKREQ
SPROCESSPENDMSG 8 00DDBEE0 SOCKREQ
SockRequ 170 00E16F24
Schedule 2082 00CCDB64
<MAIN-PROGRAM> 14 00C081FE TCPIP
VSPASCAL 00E47702
PROBLEM CONCLUSION:
In part T6PSSL PASCAL, both the VSkSslAcc routine (which
handles accept processing) and the VSkSslCon routine (which
handles connect processing) have been updated in order to
better handle this error condition. The code will now detect
that it has no pointer to the SSL TCB and will fail the
connection attempt from the port scanner cleanly, rather
than just put out an assertion error and continue on
(which was eventually causing all future secure connection
attempts to fail.) With these updates, the code will also
display one of two new error messages (documented below) to
the TCPIP console log any time this error occurs.
.
---------------------------------------------------------------
.
The two new error messages will be documented on page 501 in
Chapter 18 (TCP/IP Server Messages), Section 18.2 (Numbered
Messages) of the TCP/IP Messages and Codes manual (GC24-6237-03)
as follows:
.
DTCSSL057E VSkSslAcc: TCB #connection (AcceptTcb) has
SslServ=nil, connection will be rejected
.
EXPLANATION: An error occurred while TCP/IP was trying to
accept a secure connection (possibly due to
the client abruptly terminating the connection
during secure handshake processing).
.
SYSTEM ACTION: TCP/IP fails the connection attempt. TCP/IP
continues.
.
SYSTEM PROGRAMMER RESPONSE: None.
-------------------------------------------------------------
DTCSSL058E VSkSslCon: TCB #connection (SS6_OrigTcb) has
SslServ=nil, connection will be rejected
.
EXPLANATION: An error occurred while TCP/IP was processing
a secure connection attempt (possibly due to
the client abruptly terminating the connection
during secure handshake processing).
.
SYSTEM ACTION: TCP/IP fails the connection attempt. TCP/IP
continues.
.
SYSTEM PROGRAMMER RESPONSE: None.
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS: MSTCP T6PSSL
SRLS: GC24623703
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: