PH08671: THE VSE CONNECTOR CLIENT DOES NOT CORRECTLY HANDLE INTERMEDIATE CA CERTIFICATES WITH SSL/TLS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The z/VSE Connector Client does not correctly handle
  intermediate CA certificates when it validates peer
  certificates during SSL/TLS handshake. This might cause SSL/TLS
  connections to be rejected when the peer certificate is signed
  by an intermediate CA certificate, even though the intermediate
  CA certificate is contained in the keyring used by the VSE
  Connector Client.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All z/VSE Connector Client Users             *
  ****************************************************************
  * PROBLEM DESCRIPTION: The z/VSE Connector Client does not     *
  *                      correctly handle intermediate CA        *
  *                      certificates when it validates peer     *
  *                      certificates during SSL/TLS handshake.  *
  *                      This might cause SSL/TLS connections to *
  *                      be rejected when the peer certificate   *
  *                      is signed by an intermediate CA         *
  *                      certificate, even though the            *
  *                      intermediate CA certificate is          *
  *                      contained in the keyring used by the    *
  *                      VSE Connector Client.                   *
  ****************************************************************
  * RECOMMENDATION: Install this PTF                             *
  ****************************************************************
  The z/VSE Connector Client does not correctly handle
  intermediate CA certificates when it validates peer
  certificates during SSL/TLS handshake. This might cause SSL/TLS
  connections to be rejected when the peer certificate is signed
  by an intermediate CA certificate, even though the intermediate
  CA certificate is contained in the keyring used by the VSE
  Connector Client.
  

Problem conclusion

• The VSE Connector Client code has been changed to accept peer
  certificates signed by an intermediate CA certificate in
  addition to peer certificates signed by a self-signed root
  certificate.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI61366

Modules/Macros

• IESINCON
  

Fix information

• Fixed component name

  VSE CONN. WS CO

• Fixed component ID

  5686VS638

Applicable component levels

• R62P PSY UI61366

     UP19/03/15 I 1000

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.