Intermittently a mainframe SSL/TLS session resets to signon screen

  • 7023420
  • 02-Oct-2018
  • 08-Oct-2018


Reflection for the Web 12.3 and later
Reflection ZFE 2.2.0 and later


If the mainframe is configured to renegotiate the cipher in a TLS connection, the Reflection for the Web or ZFE client will response with an "Encrypted Alert" to the "Encrypted Handshake Message".  The client connection will be reset back to the logon screen.

This can be seen in a Wireshark or viewing a Java console on the Reflection for the Web client.  The Reflection for the Web will log an exception (see below).

XXX XX, XXXX XX:XX:XX org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertRaised
INFO: Client raised fatal(2) unexpected_message(10) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: unexpected_message(10)
at org.bouncycastle.tls.TlsProtocol.checkReceivedChangeCipherSpec(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.readApplicationData(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap$ Source)
at com.wrq.session.transport.TcpipProvider.blockedRead(Unknown Source)
at com.wrq.session.transport.TcpipProvider.a(Unknown Source)
at com.wrq.session.transport.TcpipProvider.access$000(Unknown Source)
at com.wrq.session.transport.TcpipProvider$ Source)


Disable the 'ResetCipherTimer' in the mainframe policy agent configuration by setting it to '0'.


Reflection for the Web and ZFE do not support cipher renegotiation after a session has been established.


Reported to Engineering