PH14225: MQ CLIENT SENDS SSL V2 CLIENT HELLO INDICATING SUPPORT FOR SSL V3 WITH 3DES CIPHER. 20/07/06 PTF PECHANGE

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• In some circumstances, MQ rejects client connections without
  issuing any subsequent error messages. In the case of a new
  connection, MQ makes two initial checks to determine if a
  connection is valid:
  1. Check if the initial data is a TSH header on an unencrypted
  channel
  2. Check if it is an SSL flow
  If neither are seen, MQ will issue the following error
  messages:
  - CSQX053E for XFFSrriBadDataReceived rriBadDataReceived
                 XFFSrriConvertValidate rriConvertValidate
  - CSQX207E Invalid data received
  - CSQX504E Local protocol error type=0000000B data=00000000
  As a SSL v2 client hello is not supported in V9.1.1, it will be
  flagged as unrecognized data and issue the above set of error
  messages by MQ.
  .
  Additional symptoms:
  A back-level Java client trying to connect with the old
  SSL protocol may receive
  MQJE001: Completion Code 2, Reason 2397
  .
  Pre-V7 client channels will have blanks for RVERSION in
  DISPLAY CHSTATUS output.
  .
  In MQ V9.0.0 with UI68820 applied and in V9.1.0 with UI68821
  applied, this issue can also result in messages CSQX259E,
  CSQX053E and a CSQSNAP from xcsFreeOwnedBuffers.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
  *                 Release 0 Modification 0, Release 1          *
  *                 Modification 0 and Release 2 Modification 0. *
  ****************************************************************
  * PROBLEM DESCRIPTION: When MQ receives a connection it does   *
  *                      some checks on the received data to     *
  *                      determine whether it represents an SSL  *
  *                      flow. Changes introduced in PH23074     *
  *                      inadvertently made some assumptions     *
  *                      about the format of received SSL data.  *
  *                      If the SSL flow was using an old SSL V2 *
  *                      format hello, then various errors may   *
  *                      occur in the CHINIT depending on the    *
  *                      specific contents of the SSL hello.     *
  ****************************************************************
  APAR PH23074 added additional checks to data received through an
  SSL connection. If the SSL connection uses an old SSL V2 format
  hello then various error messages may be output in the CHINIT
  depending on the specific contents of the data.
  
  This may result in messages CSQX259E, CSQX053E being issued in
  the CHINIT and a CSQSNAP dump being taken from
  xcsFreeOwnedBuffers.
  

Problem conclusion

• The code has been changed to correctly reject SSL V2 format
  hellos. Note that connections using this old format will still
  be rejected, accompanied by CSQX207E and CSQX504E messages in
  the CHINIT.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI71464 UI71465 UI72345

Modules/Macros

• CSQFXLAT CSQMCNAC CSQUMSG  CSQXCCCX CSQXCCIS CSQXGINI CSQXMSG
  CSQXRPLY
  

Fix information

• Fixed component name

  IBM MQ Z/OS V9

• Fixed component ID

  5655MQ900

Applicable component levels

• R000 PSY UI71464

     UP20/11/02 P F010 {

• R100 PSY UI71465

     UP20/11/02 P F010 {

• R200 PSY UI72436

     UP20/12/08 P F012 {

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.