A fix is available
APAR status
Closed as program error.
Error description
problem details System SSL allocated memory is not released completely while parsing and decoding key usage and extended key usage extension in a certificate when performing TLS 1.3 handshakes or TLS 1.2 and earlier handshakes when certificate validation mode is set to 3280 or 5280. analysis HEAP LEAK REPORT shows Unmatched ALLOCATE of 1 bytes while traceback contains gsk_decode_certificate_extension and asn1_decode_bitstring known impact System SSL not released allocation leads to fragmentation and extending the LE heap. eventually LE heap reaches the limit of extended private storage verification capture HEAP LEAK REPORT to review unmatched allocate additional symptoms none workaround use HEAP(FREE) LE option for applications using TLS1.3 or TLS1.2 and earlier with certificate validation mode set to 3280 or 5280 in System SSL
Local fix
workaround use HEAP(FREE) LE option for applications using TLS1.3 or TLS 1.2 and earlier with certificate validation mode set to 3280 or 5280 in System SSL
Problem summary
**************************************************************** * USERS AFFECTED: System SSL client applications or server * * applications enabled for client * * authentication that are enabled to use * * - TLS V1.3 * * - SSL V3, TLS V1.0, TLS V1.1 and/or * * TLS V1.2 along with certificate * * validation mode 3280 or 5280 * **************************************************************** * PROBLEM DESCRIPTION: When negotiating a secure connection * * using SSL V3, TLS V1.0, TLS V1.1, * * TLS V1.2 or TLS V1.3, System SSL * * validates the partner's certificate * * when provided. During the validation * * process when certificate validation * * mode (GSK_CERT_VALIDATION_MODE) is set * * to either 3280 or 5280 for a TLS V1.2 * * or earlier connection or TLS V1.3 with * * any supported certificate validation * * mode setting, the extended key usage * * extension is processed when present. * * This processing when both a key usage * * and an extended key usage extension is * * present in the certificate may result * * in storage not being freed. * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** When processing the SSLV3/TLS partner certificate storage may not be freed if the certificate contains both a key usage and extended key usage extension.
Problem conclusion
System SSL has been updated to free storage obtained when validating the key usage and extended key usage extensions.
Temporary fix
Comments
APAR Information
APAR number
OA67090
Reported component name
SYSTEM SSL
Reported component ID
565506805
Reported release
450
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-10-11
Closed date
2025-03-03
Last modified date
2025-04-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ96744 UJ96745 UJ96746 UJ96747
Modules/Macros
GSKCMS31 GSKCMS64 GSKS31 GSKS31F GSKS64 GSKS64F
Fix information
Fixed component name
SYSTEM SSL
Fixed component ID
565506805
Applicable component levels
R450 PSY UJ96746
UP25/03/12 P F503
R451 PSY UJ96747
UP25/03/12 P F503
R510 PSY UJ96744
UP25/03/12 P F503
R511 PSY UJ96745
UP25/03/12 P F503
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"450"}]
Document Information
Modified date:
02 April 2025