VOOZH about

URL: https://www.ibm.com/support/pages/apar/IJ34952

⇱ IJ34952: SSL SESSION IDS ARE NOT BEING REUSED WHEN SSLENGINE DOES NOT RECEIVE THE PROPER SSL/TLS CLOSE NOTIFICATION MESSAGE FROM THE PEER

IJ34952: SSL SESSION IDS ARE NOT BEING REUSED WHEN SSLENGINE DOES NOT RECEIVE THE PROPER SSL/TLS CLOSE NOTIFICATION MESSAGE FROM THE PEER

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
.
Stack Trace: N/A
.

Local fix



Problem summary


    

  • As of TLS 1.1, failure to properly close a connection no longer
requires that a session not be resumed. This is a change from
TLS 1.0 to conform with widespread implementation practice.
However, the JavaDoc states that a SSLException should be thrown
on a SSLEngine.closeInbound() if the engine has not received the
proper SSL/TLS close notification peer message from the peer.
Throwing this SSLException will cause the SSL Session to be
invalidated and therefore, the SSL Session cannot be resumed.
 A system property will be provided to allow the user to
specify whether the JSSE implementation to thrown the exception
and be in compliance with the JavaDoc or not.



Problem conclusion


    

  • A system property will be provided to allow the user to specify
whether the JSSE implementation to thrown the exception and be
in compliance with the JavaDoc or not.
com.ibm.jsse2.sslEngineCloseNotifyReceive = true <PIPE> false
 default - true - be in compliance with
SSLEngine.closeInputBound() JavaDoc and throws SSLException if
this engine has not received the proper SSL/TLS
 close notification from the peer
 false - do not be in compliance with JavaDoc and do not
throw SSLException if close/notify was not received from the
peer. This is in compliance
 with TLS 1.1 RFC and above and will allow SSL
Session resumption when close/notify was not received from the
peer.
Binary affected - ibmjsseprovider2.jar
GIT Issue - #169
RTC - 145925
Build - 8.0 build_20210729--336
The fix was delivered for: Java 8.0 SR7
.
This APAR will be fixed in the following Java Releases:
 8 SR7 (8.0.7.0)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
Service Refreshes and Fix Packs can be found at:
 https://www.ibm.com/developerworks/java/jdk/



Temporary fix


    



Comments


    



APAR Information




    

  • APAR number
    IJ34952
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    270
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-09-13
    • 

  • Closed date
    2021-09-13
    • 

  • Last modified date
    2021-09-23
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels







 
 
 
 

 [{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270"}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 24 September 2021