IBM Support

IT24050: SECURE+ DOES NOT WORK ON TLS1.2 WITH GCM CIPHER SUITES

Direct links to fixes

Media_IM_5020602_6
Media_IM_5020602_6
iSeries_Media_5020602_6.zip
iSeries_Media_5020602_6.zip
iSeries_Media_5020603_6.zip
iSeries_Media_5020603_6
Media_IM_5020603_6
Media_IM_5020603_6

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Sterling B2B Integrator V5.2.6.3_3:

Secure+ does not work with these ciphers suites:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

Local fix

  • STRRTC - 564470
GM / GM
Circumvention: No workaround available

Problem summary

  • Users Affected:
IBM Sterling B2B Integrator V5.2 Users

Problem Description:
Secure+ connections fail when ciphers suite
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 are configured.

Connections fail with:
JTXT="com.sterlingcommerce.cd.cdjava.CdSecurePException:
MSGID=JSKT003E,RC=8,FDBK=1,CLMTHNAME=CdCommMgr.doHandshake,
CDTXT="The Secure+ TLS handshake operation failed.
Check the error text for TLS error information and follow
diagnostic and reporting procedures.",
JTXT="javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure"
indicating no common ciphers were configured between the SSL
client and server.

Platforms Affected:
Unix/Linux
Windows
iSeries

Problem conclusion

  • Resolution Summary:

A code fix is provided.

The CDSA no longer configures ciphers from a default set. Since
the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers are not members of
this default cipher list, they were not enabled.

The CDSA now correctly enables only ciphers from the session's
configuration rather erroneously from a default list.

Delivered In:
5020602_6
5020603_6

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT24050
    • 

  • Reported component name
    STR B2B INTEGRA
    • 

  • Reported component ID
    5725D0600
    • 

  • Reported release
    526
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-02-13
    • 

  • Closed date
    2018-05-23
    • 

  • Last modified date
    2018-07-12
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR B2B INTEGRA
    • 

  • Fixed component ID
    5725D0600
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"Sterling B2B Integrator"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.6","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 September 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback