IJ51955: 8326643 - JDK SERVER DOES NOT SEND A DUMMY CHANGE_CIPHER_SPEC RECORD AFTER HELLORETRYREQUEST MESSAGE

APAR status

• Closed as program error.

Error description

• Error Message: N/A
  .
  Stack Trace: N/A
  .
  

Local fix

Problem summary

• JDK server does not send a dummy change_cipher_spec record after
  HelloRetryRequest message.
  According to RFC 8446 (Transport Layer Security (TLS) Protocol
  Version 1.3) Appendix D.4 (Middlebox Compatibility Mode), if the
  client sends a non-empty session ID in the ClientHello message,
  the server sends a dummy change_cipher_spec (CCS) record
  immediately after its first handshake message. This may either
  be after a ServerHello or a HelloRetryRequest.
  

Problem conclusion

• Binary affected - ibmjsseprovider2.jar
  GIT Issue - 328
  RTC - 151477
  Build - 8.0 build_20240726--302
  JVM to be delivered in - JDK 8 SR8 FP35
  .
  This APAR will be fixed in the following Releases:
  .
  IBM SDK, Java Technology Edition
   8 SR8 FP35 (8.0.8.35)
  .
  Downloads and supplementary documentation can be found at the
  following locations:
  - For non z/OS operating systems:
   - IBM Semeru Runtimes, Version 11 and later
   https://www.ibm.com/semeru-runtimes/downloads/
   - IBM SDK, Java Technology Edition, Version 8
   https://www.ibm.com/support/pages/java-sdk-downloads/
  - For the z/OS operating system:
   - Java SDK Products on z/OS
   https://www.ibm.com/support/pages/java-sdk-products-zos
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  SECURITY

• Fixed component ID

  620700125

Applicable component levels