Hello,

we implemented a certififcation check (with GSKIT) using OCSP by setting the variable GSK_OCSP_ENABLE=1. Our c program it reads and sets the environment variable(s). This works well in almost all cases when users try to connect with their PKIs and establish TLS sessions to our c program. In rare cases (roughly 1 out of 100) the error message "gsk_secure_socket_init(): Insufficient storage is available." appears. We could catch one case with ssl trace (some values were modifief):

07/12/2023-14:03:13 Thd-29 INFO connect_to_server(): Connect to XXX.XXX.XXX.XXX[80] in progress - waiting

07/12/2023-14:03:13 Thd-29 INFO connect_to_server(): Socket ready - XXX.XXX.XXX.XXX[80]

07/12/2023-14:03:13 Thd-29 ASCII send_http_request(): HTTP POST Request header

...  

07/12/2023-14:03:13 Thd-29 ASCII send_http_request(): HTTP POST Request message body

...

07/12/2023-14:03:13 Thd-29 ERROR gsk_send_ocsp_request(): Error receiving ocsp response

07/12/2023-14:03:13 Thd-29 ERROR check_revoked(): Failed to send OCSP request to an AIA OCSP responder retval = 0x03353001

07/12/2023-14:03:13 Thd-29 ERROR validate_certificate_mode(): Revocation check failed: Error 0x03353001

07/12/2023-14:03:13 Thd-29 ERROR cms_validate_certificate_mode_int(): Unable to validate certificate: Error 0x03353001

07/12/2023-14:03:13 Thd-29 EXIT cms_validate_certificate_mode_int(): <--- Exit status 0x03353001 (53817345)

07/12/2023-14:03:13 Thd-29 ERROR read_v3_certificate(): Unable to validate peer certificate: Error 0x03353001

07/12/2023-14:03:13 Thd-29 ERROR send_v3_alert(): Sent SSL V3 alert 80 to XXX.XXX.XXX.XXX[63460]

07/12/2023-14:03:13 Thd-29 INFO gsk_write_v3_record(): Calling write routine for 7 bytes

07/12/2023-14:03:13 Thd-29 INFO gsk_write_v3_record(): 7 bytes written

07/12/2023-14:03:13 Thd-29 ERROR gsk_secure_socket_init(): SSL V3 server handshake failed with XXX.XXX.XXX.XXX[63460]

07/12/2023-14:03:13 Thd-29 INFO zert_audit_close_and_fail(): Call to EZBTCZFR

07/12/2023-14:03:13 Thd-29 EBCDIC zert_audit_close_and_fail(): Audit Terminate

...

07/12/2023-14:03:13 Thd-29 INFO zert_audit_close_and_fail(): EZBTCZFR successful

07/12/2023-14:03:13 Thd-29 INFO default_setsocketoptions(): TCP_NODELAY restored for socket 22

07/12/2023-14:03:13 Thd-29 EXIT gsk_secure_socket_init(): <--- Exit status 0x00000004 (4)

It turns out that there is not enough memory to receive the ocsp response.

As per IBM documentation 03353001 - IBM Documentation it is recommended to increase the memory. 

But our application always had enough memory. Memory usage lies at 67%.

Which memory can be increased?

As said already it is an rare event.

Any ideas?

Hello Sven

It appears that this problem is not related to GSKit but is instead related to z/OS System SSL from the trace that you have posted.

To properly diagnose this issue, it would be interesting to see the entire HTTP Post Request message body to see how large it is. If a really large message is coming back from the OCSP responder that would require a larger internal buffer to read it into the program.

Additionally, is your C program properly closing out the SSL connection handles by calling gsk_secure_socket_close()?

You may need to open a case so that we can continue to debug the issue since it is an intermittent one.