IBM Support

IJ43933: EXCEPTION DURING ENCRYPTION, JAVAX.NET.SSL.SSLEXCEPTION: FAIL TO WRAP APPLICATION DATA

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Customer configured the following ciphers list on dmgr (SSL
Server) and node (SSL Client), both running on the SAME physical
machine. We recreate this problem in our local machine. A
standalone program is not possible to provide. Therefore we
request you, please check all information provided as given
below.

TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

After the customer had an issue, WAS product could not sync the
node with dmgr.


We engaged with WAS security development and WAS system
management development, and we suspect it is more related to the
java security issue.


We suspect the following error is causing the problem. We
noticed the following error in SSL server-side logs (dmgr) where
maybe data is genuinely malformed and causing the following
error.

Note: Problem Happens only with CHACHA Ciphers

Local fix

  • 



Problem summary


    

  • BMJCEPlus provider, during ChaCha20-Poly1305 crypto operations,
incorrectly throws an IllegalStateExceptionIBMJCEPlus provider,
during ChaCha20-Poly1305 crypto operations, incorrectly throws
an IllegalStateException

    



Problem conclusion


    

  • IBMJCEPlus provider throws incorrectly an IllegalStateException
Error:  Fatal (INTERNAL_ERROR): Fail to wrap application data.

StackTrace:

java.security.ProviderException: Could not determine buffer size
               at javax.crypto.CipherSpi.a(Unknown Source)
               at javax.crypto.CipherSpi.engineDoFinal(Unknown
Source)
               at javax.crypto.Cipher.doFinal(Unknown Source)
              
atcom.ibm.jsse2.SSLCipher$T12CC20P1305WriteCipherGenerator$CC20P
1305WriteCipher.encrypt(SSLCipher.java:2473)
               at
com.ibm.jsse2.OutputRecord.t10Encrypt(OutputRecord.java:410)
               at
com.ibm.jsse2.OutputRecord.encrypt(OutputRecord.java:315)
               at
com.ibm.jsse2.SSLEngineOutputRecord.encode(SSLEngineOutputRecord
.java:272)
               at
com.ibm.jsse2.SSLEngineOutputRecord.encode(SSLEngineOutputRecord
.java:174)
               at
com.ibm.jsse2.SSLEngineImpl.encode(SSLEngineImpl.java:258)
               at
com.ibm.jsse2.SSLEngineImpl.writeRecord(SSLEngineImpl.java:205)
  Caused by: java.lang.IllegalStateException: Cipher has not
been initialized
               at
com.ibm.crypto.plus.provider.ChaCha20Poly1305Cipher.checkCipherI
nitialized(ChaCha20Poly1305Cipher.java:551)
               at
com.ibm.crypto.plus.provider.ChaCha20Poly1305Cipher.engineDoFina
l(ChaCha20Poly1305Cipher.java:147)
               ... 58 more}
PROBLEM CONCLUSION:

The JVM has been updated so that a ShortBufferException during
during ChaCha20-Poly1305 crypto operations, sets the internal
state variables correctly so that IllegalStateException is not
thrown.

The affected jar file is:  ibmjceplus.jar

JVMs affected: Java 8.

The associated Java Security GIT issue is: 472

The associated RTC problem report is: 148403

The Java 8 build dates are:FIPS140-2 - Build-Date:
20221213FIPS140-3 - Build-Date: 20221216

The fixes were delivered for: Java 8.0 sr8

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ43933
    • 

  • Reported component name
    TIV JAVA CRYPTO
    • 

  • Reported component ID
    TIVSECJCE
    • 

  • Reported release
    600
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-10-20
    • 

  • Closed date
    2023-01-31
    • 

  • Last modified date
    2023-01-31
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TIV JAVA CRYPTO
    • 

  • Fixed component ID
    TIVSECJCE
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 January 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback