IBM Support

PI65260: SSL HANDSHAKE FAILS WHEN USING CIPHER TO A PROXY SERVER

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In a URIMAP definition, the CIPHERS attribute can be either
- a string of 2-digit cipher suite codes.
- the name of the SSL cipher suite specification file
.
  If you define use the string of 2 digit codes, it works.
But, if you point to the file, it fails.
.
  Trace shows that ciphers should used.
SO 0201 SOCK  ENTRY
        FUNCTION(SET_SOCKET_OPTS)
        TCP_NODELAY(YES)
        SOCKET_TOKEN(0100000E)
        SSL(YES)
        CIPHER_COUNT(D)
.
  But, the response shows that no ciphers were selected.
SO 0802 SOSE  EXIT
        FUNCTION(SECURE_SOC_INIT)
        RESPONSE(EXCEPTION)
        REASON(CONNECTION_CLOSED)
        GSK_RETURN_CODE(1A4)
        CERTIFICATE_USERID()
        CIPHER_SELECTED()
        CIPHER_NAME(TLS_NULL_WITH_NULL_NULL)
.
  The problem only happens when and outbound connection
to a proxy server is being used.  When using SSL,
CICS first has to communicate with the proxy unencrypted
and then switch the session to SSL
to communicate with the desired end server.
  When switching to SSL, DFHWBCL fails to pass
the cipher list token to sockets domain.
This causes the SSL handshake process performed by CICS
to believe that a ciphers file was not used.
Additional Symptom(s) Search Keyword(s): KIXREVRJL
.
The following symptoms have also been seen:
080C SOSE  *EXC* - SYSTEM_SSL_ERROR
     GSK_RESPONSE(GSK_ERR_NO_CIPHERS) FUNCTION(SECURE_SOC_INIT)
     RESPONSE(EXCEPTION) REASON
     (CLIENT_ERROR) GSK_RETURN_CODE(192)
     CERTIFICATE_USERID() CIPHER_SELECTED()
.
DFHSO0123 Return code 402 received from function
'gsk_secure_socket_init': No common ciphers negotiated.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* All CICS users.                                              *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* DFHSO0123 Return code 402 received from function             *
* 'gsk_secure_socket_init': No common ciphers negotiated.      *
****************************************************************
* RECOMMENDATION:                                              *
* .                                                            *
****************************************************************
An attempt is made to make an outbound HTTP request using SSL
via a proxy.  The URIMAP resource specifies a cipher file.
After establishing an unencrypted session with the proxy, CICS
switches to use SSL for connecting with the remote server.
However, when the DFHSOCK SET_SOCKET_OPTS call is made the
cipher block token for the ciphers loaded from the cipher file
is not passed.  As a consequence the SSL handshake fails with
a GSK_RESPONSE of GSK_ERR_NO_CIPHERS (402 or '192'x) and
message DFHSO0123 is issued.

Additional keywords: msgDFHSO0123 SO0123 SECURE_SOC_INIT

    



Problem conclusion


    

  • DFHWBCL has been modified to pass the wbo_cipher_token, if
present, on the DFHSOCK SET_SOCKET_OPTS call made to switch the
session to SSL.
DFHSOCK SET_SOCKET_OPTS has been updated to accept this
parameter and call set_cipher_token on the socket if supplied.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI65260
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    000
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-07-01
    • 

  • Closed date
    2016-11-11
    • 

  • Last modified date
    2016-12-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PI69104 UI42525 UI42526
    

    • 



Modules/Macros


    

  • DFJ@H360

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R000  PSY  UI42525
       UP16/11/19  P  F611
    • 

  • R00D  PSY  UI42526
       UP16/11/19  P  F611
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 December 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback