Intermittently a mainframe SSL/TLS session resets to signon screen

  • 7023420
  • 02-Oct-2018
  • 08-Oct-2018

Environment

Reflection for the Web 12.3 and later
Reflection ZFE 2.2.0 and later

Situation

If the mainframe is configured to renegotiate the cipher in a TLS connection, the Reflection for the Web or ZFE client will response with an "Encrypted Alert" to the "Encrypted Handshake Message".  The client connection will be reset back to the logon screen.

This can be seen in a Wireshark or viewing a Java console on the Reflection for the Web client.  The Reflection for the Web will log an exception (see below).

XXX XX, XXXX XX:XX:XX org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertRaised
INFO: Client raised fatal(2) unexpected_message(10) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: unexpected_message(10)
at org.bouncycastle.tls.TlsProtocol.checkReceivedChangeCipherSpec(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.readApplicationData(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap$AppDataInput.read(Unknown Source)
at com.wrq.session.transport.TcpipProvider.blockedRead(Unknown Source)
at com.wrq.session.transport.TcpipProvider.a(Unknown Source)
at com.wrq.session.transport.TcpipProvider.access$000(Unknown Source)
at com.wrq.session.transport.TcpipProvider$1.run(Unknown Source)

Resolution

Disable the 'ResetCipherTimer' in the mainframe policy agent configuration by setting it to '0'.

Cause

Reflection for the Web and ZFE do not support cipher renegotiation after a session has been established.

Status

Reported to Engineering

Feedback service temporarily unavailable. For content questions or problems, please contact Support.