A fix is available
APAR status
Closed as program error.
Error description
If TLSv1.3 is enabled and an SSLv3 CLIENT-HELLO is received from a client, it is accepted and an SSLv3 SERVER-HELLO is sent in response. If the client continues the handshake, the server fails the handshake with return codes 410 (GSK_ERR_BAD_MESSAGE) or 411 (GSK_ERR_BAD_MAC). This occurs even if SSLv3 is explicitly disabled for the connection. The server should fail the handshake and not send the SERVER-HELLO message. In an SSL trace we see, following the SSLv3 CLIENT-HELLO, the message: 'Client version 3.0 is not enabled. Continuing to parse client hello' The server returns a SSLv3 SERVER-HELLO message. VERIFICATION STEPS: From an SSL trace verify that the protocols SSLv3.0 (513) TLSv1.0 (519) and TLSv1.1(531) are all disabled. Will TLSv1.2 (558) and TLSv1.3 (619) enabled. Look for a SSLv3 Client-Hello being read in and then the message 'Client version 3.0 is not enabled. Continuing to parse client hello'. The little later in the trace you will see a SSLv3 Server-Hello being sent
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * Users of System SSL server applications that have TLS V1.3 * * enabled. * **************************************************************** * PROBLEM DESCRIPTION: * * When a System SSL server application * * has been enabled for TLS V1.3 (other * * protocols can also be enabled) and * * receives a SSL V3 CLIENT-HELLO * * message, it responds with a SSL V3 * * SERVER-HELLO message prior to the * * handshake failing. (The failing * * handshake may fail with return code * * 410 (GSK_ERR_BAD_MESSAGE) or * * 411 (GSK_ERR_BAD_MAC)). * * * * The TLS V1.3 server should reject * * SSL V3 handshake requests whether * * SSL V3 is enable or not with return * * code 412 (GSK_ERR_UNSUPPORTED) * * and not send a SSL V3 * * SERVER-HELLO message. * **************************************************************** * RECOMMENDATION: * * Apply PTF * **************************************************************** When enabled for TLS V1.3 and the client sends a SSL V3 CLIENT-HELLO handshake message, the server code sends a SSL V3 SERVER-HELLO message prior to the handshake failing.
Problem conclusion
When enabled for TLS V1.3 and a SSL V3 CLIENT-HELLO handshake message is received, the server code has been updated to fail earlier while processing the CLIENT-HELLO message with return code 412 (GSK_ERR_SUPPORTED). Documentation Updates Chapter "Messages and Codes" Make the following updates to SSL return code 412 in the "SSL function return codes" section 412 SSL protocol or certificate type is not supported. Explanation: The SSL handshake is not successful because of an unsupported protocol or certificate type. This error can occur if there is no enabled SSL protocol shared by both the client and the server. When executing in FIPS mode, specifying the SSL V2 or SSL V3 protocol is ignored. When enabled for TLS V1.3, SSL V2 and SSL V3 are not supported and are ignored. User response: Ensure that the SSL protocol you want is enabled and supported on both the client and the server. Collect a System SSL trace containing a dump of the failing handshake and then contact your service representative if the problem persists.
Temporary fix
Comments
APAR Information
APAR number
OA60669
Reported component name
SYSTEM SSL
Reported component ID
565506805
Reported release
440
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-12-24
Closed date
2021-02-15
Last modified date
2021-03-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ04852 UJ04872
Modules/Macros
GSKCMS31 GSKCMS64 GSKS31F GSKS64F GSKS31 GSKS64
| SC147495XX |
Fix information
Fixed component name
SYSTEM SSL
Fixed component ID
565506805
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"440"}]
Document Information
Modified date:
05 March 2021