IBM Support

OA68554: ALLOW GSK_CERT_VALIDATION_MODE SETTING TO BE USED WHEN CHECKING THE LOCAL CERTIFICATE EXTENDED KEY USAGE IN A TLS1.3 ENVIRONMENT

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Currently, System SSL checks that if the local certificate has
an extended key usage (EKU) it must be appropriate for its
intended usage. This means that for server applications the EKU
must specify serverAuth or anyExtendedKeyUsage. While for client

applications, this means that the EKU must specify clientAuth or

anyExtendedKeyUsage. In TLS 1.3, this is always done by default
without regard to the GSK_CERT_VALIDATION_MODE setting. TLS 1.3
defaults to RFC 5280. The GSK_CERT_VALIDATION_MODE setting
should be examined prior to these checks.  In these cases, the
TLS handshake would fail with return code 440 from the
gsk_secure_socket_init() API.

Additionally, when we validate the peer's certificate we should
also take into account the GSK_CERT_VALIDATION_MODE setting when

examining the EKU during TLS 1.3 handshakes.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: System SSL applications that are performing  *
*                 TLS V1.3 handshakes with certificates        *
*                 containing an extended key usage (EKU)       *
*                 extension.                                   *
****************************************************************
* PROBLEM DESCRIPTION: When performing a TLS V1.3 handshake    *
*                      with a certificate containing an EKU    *
*                      extension, System SSL verifies that the *
*                      local certificate is valid for its      *
*                      intended purpose to follow RFC 5280     *
*                      certificate validation rules. If the    *
*                      local certificate is not valid for the  *
*                      intended purpose, the                   *
*                      gsk_secure_socket_init() fails the TLS  *
*                      V1.3 handshake with return code 440.    *
****************************************************************
* RECOMMENDATION: APPLY PTF                                    *
****************************************************************
Within a TLS V1.3 handshake, the local certificate's EKU
extension check is performed unconditionally without examining
the GSK_CERT_VALIDATION_MODE setting. By default, System SSL
uses RFC 5280 certificate validation mode which checks the
extended key usage extension for its intended purpose.
Similarly, when System SSL receives a certificate from a partner
containing an EKU extension, it always performs the check
unconditionally without querying the GSK_CERT_VALIDATION_MODE
setting during TLS V1.3 handshakes.

    



Problem conclusion


    

  • The code was updated to query the GSK_CERT_VALIDATION_MODE
setting when attempting a TLS V1.3 handshake and the local or
the partner's certificate contains an extended key usage
extension. If the EKU checks need to be bypassed, the
GSK_CERT_VALIDATION_MODE setting can be set to 2459. If the
GSK_CERT_VALIDATION_MODE setting is 3280 or 5280, the
certificate EKU checks are performed.

The z/OS Cryptographic Services System Secure Sockets Layer
Programming publication (SC14-7495) has been updated. For the
specific topics that were updated, see the "Summary of Changes"
section of the publication related to z/OS 3.2.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    OA68554
    • 

  • Reported component name
    SYSTEM SSL
    • 

  • Reported component ID
    565506805
    • 

  • Reported release
    450
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2025-09-26
    • 

  • Closed date
    2025-12-03
    • 

  • Last modified date
    2026-01-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ98631 UJ98632 UJ98633 UJ98634 UJ98635 UJ98636
    

    • 



Modules/Macros


    

  • GSKCMS31 GSKCMS64 GSKS31   GSKS31F  GSKS64   GSKS64F

    




Publications Referenced


SC147495xx    





Fix information


    

  • Fixed component name
    SYSTEM SSL
    • 

  • Fixed component ID
    565506805
    • 



Applicable component levels


    

  • R450  PSY  UJ98635
       UP25/12/13  P  F512
    • 

  • R451  PSY  UJ98636
       UP25/12/13  P  F512
    • 

  • R510  PSY  UJ98633
       UP25/12/13  P  F512
    • 

  • R511  PSY  UJ98634
       UP25/12/13  P  F512
    • 

  • R520  PSY  UJ98631
       UP25/12/13  P  F512
    • 

  • R521  PSY  UJ98632
       UP25/12/13  P  F512
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"450"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 January 2026
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback