IBM Support

PH34250: OUTBOUND CONNECTION USING TLS1.0 CIPHERSPEC CAN BE STARTED WITHOUT THE TLS10ON DD CARD

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • TLS1.0 cipherspecs including TLS_RSA_WITH_AES_128_CBC_SHA and
TLS_RSA_WITH_AES_256_CBC_SHA can be used without TLS10ON DD
card even though they are already deprecated.
This problem only applies to outbound connections and thus does
not represent a security flaw. Inbound connections are still
correctly blocked with a CSQX616E message in the receiver CHIN
job log.

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
*                 Release 2 Modification 0.                    *
****************************************************************
* PROBLEM DESCRIPTION: An outbound connection using a TLS 1.0  *
*                      CipherSpec can be started without the   *
*                      TLS10ON DD card.                        *
****************************************************************
The code that handles outbound TLS connections incorrectly
enabled the protocol, causing channels to be started even if
the requested protocol was not previously enabled during
initial protocol setup.

Problem conclusion

  • The code has been changed to ensure channels can only be started
if the requested protocol was previously enabled during initial
protocol setup.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH34250
    • 

  • Reported component name
    IBM MQ Z/OS V9
    • 

  • Reported component ID
    5655MQ900
    • 

  • Reported release
    200
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-02-08
    • 

  • Closed date
    2021-06-29
    • 

  • Last modified date
    2021-08-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI76129
    

    • 



Modules/Macros


    

  • CSQXGSSI

    



Fix information


    

  • Fixed component name
    IBM MQ Z/OS V9
    • 

  • Fixed component ID
    5655MQ900
    • 



Applicable component levels


    

  • R200  PSY  UI76129
       UP21/07/19  P  F107
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"200"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 August 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback