VOOZH about

URL: https://www.ibm.com/support/pages/apar/IV74069

⇱ IV74069: LARGE PRE-MASTER SECRET GENERATED FROM 2048 BIT DH KEY NOT DIGES TED IN TLSV1 AND TLSV1.1

IV74069: LARGE PRE-MASTER SECRET GENERATED FROM 2048 BIT DH KEY NOT DIGES TED IN TLSV1 AND TLSV1.1

APAR status

  • Closed as program error.

Error description

  • Error Message: java.lang.ArrayIndexOutOfBoundsException: Array
index out of range: 64
.
Stack Trace: javax.net.ssl.SSLException:
java.lang.ArrayIndexOutOfBoundsException: Array index out of
range: 64
 at com.ibm.jsse2.o.a(o.java:10)
 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:216)
 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:864)
 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:618)
 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:500)
 at
com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:22
0)
 at
com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:184)
 at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:40)
 at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpU
RLConnection.java:1207)
 at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.jav
a:390)
 at
com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:29)
.
The problem happens when the server side uses large DH key (e.g.
2048 bit) in TLSv1/TLSv1.1 key exchange.

Local fix

  • 1. Disable cipher suites which uses DH/DHE key exchange.
2. Use TLSv1.2.

Problem summary

  • This problem happens because the large pre-master secret
generated from 2048 bit DH key was not properly hashed to derive
the master secret.

Problem conclusion

  • A fix is made to IBMJSSE2 and IBMJCE provider to handle large
pre-master secret in TLSv1 and TLSv1.1
The associated Hursley RTC Problem Report is 93670
The associated Austin CMVC defect is 116692
The associated Austin APAR is IV73472
JVMs affected: Java 6.0, Java 626, Java 7.0, Java 727 and Java 8
The fix was delivered for Java 6.0 SR16FP5, Java 626 SR8FP5,
Java 7.0 SR9FP10, Java 727 SR3FP10 and Java 8 SR1FP10
The affected jar are "ibmjsseprovider2.jar" and
"ibmjceprovider.jar".
The build level of these jars for the affected releases is
"20150604".
.
This APAR will be fixed in the following Java Releases:
 7 SR9 FP 10 (7.0.9.10)
 6 R1 SR8 FP7 (6.1.8.7)
 8 SR1 FP10 (8.0.1.10)
 7 R1 SR3 FP10 (7.1.3.10)
 6 SR16 FP7 (6.0.16.7)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
Service Refreshes and Fix Packs can be found at:
 https://www.ibm.com/developerworks/java/jdk/

Temporary fix



Comments


    



APAR Information




    

  • APAR number
    IV74069
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    260
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-06-09
    • 

  • Closed date
    2015-06-26
    • 

  • Last modified date
    2015-06-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 




    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    

  • R260 PSY
       UP
    • 

  • R270 PSY
       UP
    • 

  • R600 PSY
       UP
    • 







 
 
 
 

 [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 07 December 2020