PM23548: Slow SSL handshakes cause subsequent SSL connection attempts to wait.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• If an SSL connection does not complete its SSL handshake,
  subsequent SSL connection attempts are not processed and have
  to wait. Eventually the TCP/IP backlog limit is reached and
  subsequent SSL connection attempts are rejected immediately.
  In this situation NETSTAT shows that many connections are in
  CLOSE-WAIT state.
  
  Additional search words:
  ClosWait  ClosWt CLOSEWAIT CLOSE_WAIT
  

Local fix

• The connection causing the problem is in ESTABLISHED state, but
  no data has been transferred. Terminating this connection allows
  waiting connections to complete their SSL handshake.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:  All users of CICS TG with SSL connections   *
  *                 from client applications.                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: CICS TG stops processing SSL            *
  *                      connection                              *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When the SSL handshake on an SSL connection was delayed on the
  client side, subsequent SSL connection attempts were queued
  while they waited for the delayed SSL handshake to complete.
  NETSTAT showed these connections in ESTABLISHED state.
  If the TCP/IP backlog limit was reached, subsequent SSL
  connection attempts failed immediately and the waiting
  connections were left in CLOSE-WAIT state.
  
  The SSL protocol handler parameter connecttimeout was not
  effective for SSL handshaking. SSL handshakes would wait
  indefinitely if the client side did not complete the handshake.
  

Problem conclusion

• CICS TG has been changed so that the SSL handshake time is
  included in the value specified for the SSL protocol handler
  connecttimeout parameter.
  
  After applying the PTF for this APAR, it might be necessary
  to adjust the value specified for the SSL protocol handler
  connecttimeout parameter to allow SSL handshakes to complete.
  
  If the connecttimeout is set to zero, to ensure that a
  connection is refused if a ConnectionManager thread is not
  immediately available, the timeout value use for the SSL
  handshake is set to 2 seconds by default.
  
  If connection logging is active and the SSL handshake exceeds
  the set timeout value the following message is logged:
  CTG6566W Remote client <client_details> timed out during SSL
           handshake, connecttimeout is set to <connecttimeout> ms
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PM18492

• APAR is sysrouted TO one or more of the following:

  UK65825

Modules/Macros

•    CTG00201 CTG00204 CTG00585
  

Fix information

• Fixed component name

  CTG V8 FOR Z/OS

• Fixed component ID

  5655W1000

Applicable component levels

• R800 PSY UK65825

     UP11/03/22 P F103

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.