Environment
Reflection for the Web 12.3 and later
Reflection ZFE 2.2.0 and later
Reflection ZFE 2.2.0 and later
Situation
If the mainframe is configured to renegotiate the cipher in a TLS connection, the Reflection for the Web or ZFE client will response with an "Encrypted Alert" to the "Encrypted Handshake Message". The client connection will be reset back to the logon screen.
This can be seen in a Wireshark or viewing a Java console on the Reflection for the Web client. The Reflection for the Web will log an exception (see below).
XXX XX, XXXX XX:XX:XX org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertRaised
INFO: Client raised fatal(2) unexpected_message(10) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: unexpected_message(10)
at org.bouncycastle.tls.TlsProtocol.checkReceivedChangeCipherSpec(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.readApplicationData(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap$AppDataInput.read(Unknown Source)
at com.wrq.session.transport.TcpipProvider.blockedRead(Unknown Source)
at com.wrq.session.transport.TcpipProvider.a(Unknown Source)
at com.wrq.session.transport.TcpipProvider.access$000(Unknown Source)
at com.wrq.session.transport.TcpipProvider$1.run(Unknown Source)
INFO: Client raised fatal(2) unexpected_message(10) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: unexpected_message(10)
at org.bouncycastle.tls.TlsProtocol.checkReceivedChangeCipherSpec(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.readApplicationData(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap$AppDataInput.read(Unknown Source)
at com.wrq.session.transport.TcpipProvider.blockedRead(Unknown Source)
at com.wrq.session.transport.TcpipProvider.a(Unknown Source)
at com.wrq.session.transport.TcpipProvider.access$000(Unknown Source)
at com.wrq.session.transport.TcpipProvider$1.run(Unknown Source)
Resolution
Disable the 'ResetCipherTimer' in the mainframe policy agent configuration by setting it to '0'.
Cause
Reflection for the Web and ZFE do not support cipher renegotiation after a session has been established.