Hello,
we implemented a certififcation check using OCSP by setting the variable GSK_OCSP_ENABLE=1. Our c program reads and sets the environment variable(s). This works well in almost all cases when users try to connect with their PKIs and establish TLS sessions to our c program. In rare cases (roughly 1 out of 100) the error message "gsk_secure_socket_init(): Insufficient storage is available." appears. We caught one case with gsk ssl trace switched on(some values were modifief):
07/12/2023-14:03:13 Thd-29 INFO connect_to_server(): Connect to XXX.XXX.XXX.XXX[80] in progress - waiting
07/12/2023-14:03:13 Thd-29 INFO connect_to_server(): Socket ready - XXX.XXX.XXX.XXX[80]
07/12/2023-14:03:13 Thd-29 ASCII send_http_request(): HTTP POST Request header
00000000: 504f5354 202f5657 2d43412d 4155544e *POST /XX-CA-AUTN*
00000010: 2d30312f 20485454 502f312e 310d0a48 *-01/ HTTP/1.1..H*
00000020: 6f73743a 206f6373 702e766f 6c6b7377 *ost: ocsp.xxxxxx*
00000030: 6167656e 2e64650d 0a436f6e 74656e74 *xxxx.de..Content*
00000040: 2d547970 653a2061 70706c69 63617469 *-Type: applicati*
00000050: 6f6e2f6f 6373702d 72657175 6573740d *on/ocsp-request.*
00000060: 0a436f6e 74656e74 2d4c656e 6774683a *.Content-Length:*
00000070: 2036380d 0a0d0a 68....
07/12/2023-14:03:13 Thd-29 ASCII send_http_request(): HTTP POST Request message body
00000000: 30423040 303e303c 303a3007 06052b0e *0B0@0>0<0:0...+.*
00000010: 26261496 d853749c a3041451 f082674c *&&...St....Q..gL*
00000020: 26261496 d853749c a3041451 f082674c *&&...St....Q..gL*
00000030: 26261496 d853749c a3041451 f082674c *&&...St....Q..gL*
00000040: 034499b8 .D..
07/12/2023-14:03:13 Thd-29 ERROR gsk_send_ocsp_request(): Error receiving ocsp response
07/12/2023-14:03:13 Thd-29 ERROR check_revoked(): Failed to send OCSP request to an AIA OCSP responder retval = 0x03353001
07/12/2023-14:03:13 Thd-29 ERROR validate_certificate_mode(): Revocation check failed: Error 0x03353001
07/12/2023-14:03:13 Thd-29 ERROR cms_validate_certificate_mode_int(): Unable to validate certificate: Error 0x03353001
07/12/2023-14:03:13 Thd-29 EXIT cms_validate_certificate_mode_int(): <--- Exit status 0x03353001 (53817345)
07/12/2023-14:03:13 Thd-29 ERROR read_v3_certificate(): Unable to validate peer certificate: Error 0x03353001
07/12/2023-14:03:13 Thd-29 ERROR send_v3_alert(): Sent SSL V3 alert 80 to XXX.XXX.XXX.XXX[63460]
07/12/2023-14:03:13 Thd-29 INFO gsk_write_v3_record(): Calling write routine for 7 bytes
07/12/2023-14:03:13 Thd-29 INFO gsk_write_v3_record(): 7 bytes written
07/12/2023-14:03:13 Thd-29 ERROR gsk_secure_socket_init(): SSL V3 server handshake failed with XXX.XXX.XXX.XXX[63460]
07/12/2023-14:03:13 Thd-29 INFO zert_audit_close_and_fail(): Call to EZBTCZFR
07/12/2023-14:03:13 Thd-29 EBCDIC zert_audit_close_and_fail(): Audit Terminate
00000000: 64ae9681 32351c9a ab934f02 5bbeaff8 ..oa.....l|.$..8
00000010: e36520fb 381bd194 223e83f2 4f30aac7 T.....Jm..c2|..G
00000020: 64ae9680 7dc4dfc3 99042a49 c18edaff ..o.'D.Cr...A...
00000030: 0522c497 dab659bc 29651bdf 5cbc25f2 *..Dp..........2
00000040: 02000000 00000000 00000000 00000000 ................
00000050: 02010500 00000010 00000000 2df66460 .............6.-
00000060: c9c2d440 e2a8a2a3 859440e2 e2d30000 IBM System SSL..
00000070: 00000000 00000000 00000000 00000000 ................
00000080: 00000004 00000000 00000000 00000000 ................
07/12/2023-14:03:13 Thd-29 INFO zert_audit_close_and_fail(): EZBTCZFR successful
07/12/2023-14:03:13 Thd-29 INFO default_setsocketoptions(): TCP_NODELAY restored for socket 22
07/12/2023-14:03:13 Thd-29 EXIT gsk_secure_socket_init(): <--- Exit status 0x00000004 (4)
It turns out that there is not enough memory to receive the ocsp response.
As per IBM documentation 03353001 - IBM Documentation it is recommended to increase the memory.
But our application always had enough memory. Memory usage lies at 67%.
Which memory can be increased?
As said already it is an rare event.
Any ideas?
------------------------------
Sven Siebert
------------------------------