IBM Support

PH14225: MQ CLIENT SENDS SSL V2 CLIENT HELLO INDICATING SUPPORT FOR SSL V3 WITH 3DES CIPHER. 20/07/06 PTF PECHANGE

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • In some circumstances, MQ rejects client connections without
    issuing any subsequent error messages. In the case of a new
    connection, MQ makes two initial checks to determine if a
    connection is valid:
    1. Check if the initial data is a TSH header on an unencrypted
    channel
    2. Check if it is an SSL flow
    If neither are seen, MQ will issue the following error
    messages:
    - CSQX053E for XFFSrriBadDataReceived rriBadDataReceived
                   XFFSrriConvertValidate rriConvertValidate
    - CSQX207E Invalid data received
    - CSQX504E Local protocol error type=0000000B data=00000000
    As a SSL v2 client hello is not supported in V9.1.1, it will be
    flagged as unrecognized data and issue the above set of error
    messages by MQ.
    .
    Additional symptoms:
    A back-level Java client trying to connect with the old
    SSL protocol may receive
    MQJE001: Completion Code 2, Reason 2397
    .
    Pre-V7 client channels will have blanks for RVERSION in
    DISPLAY CHSTATUS output.
    .
    In MQ V9.0.0 with UI68820 applied and in V9.1.0 with UI68821
    applied, this issue can also result in messages CSQX259E,
    CSQX053E and a CSQSNAP from xcsFreeOwnedBuffers.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
    *                 Release 0 Modification 0, Release 1          *
    *                 Modification 0 and Release 2 Modification 0. *
    ****************************************************************
    * PROBLEM DESCRIPTION: When MQ receives a connection it does   *
    *                      some checks on the received data to     *
    *                      determine whether it represents an SSL  *
    *                      flow. Changes introduced in PH23074     *
    *                      inadvertently made some assumptions     *
    *                      about the format of received SSL data.  *
    *                      If the SSL flow was using an old SSL V2 *
    *                      format hello, then various errors may   *
    *                      occur in the CHINIT depending on the    *
    *                      specific contents of the SSL hello.     *
    ****************************************************************
    APAR PH23074 added additional checks to data received through an
    SSL connection. If the SSL connection uses an old SSL V2 format
    hello then various error messages may be output in the CHINIT
    depending on the specific contents of the data.
    
    This may result in messages CSQX259E, CSQX053E being issued in
    the CHINIT and a CSQSNAP dump being taken from
    xcsFreeOwnedBuffers.
    

Problem conclusion

  • The code has been changed to correctly reject SSL V2 format
    hellos. Note that connections using this old format will still
    be rejected, accompanied by CSQX207E and CSQX504E messages in
    the CHINIT.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH14225

  • Reported component name

    IBM MQ Z/OS V9

  • Reported component ID

    5655MQ900

  • Reported release

    000

  • Status

    CLOSED PER

  • PE

    YesPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-07-08

  • Closed date

    2020-10-30

  • Last modified date

    2021-01-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI71464 UI71465 UI72345

Modules/Macros

  • CSQFXLAT CSQMCNAC CSQUMSG  CSQXCCCX CSQXCCIS CSQXGINI CSQXMSG
    CSQXRPLY
    

Fix information

  • Fixed component name

    IBM MQ Z/OS V9

  • Fixed component ID

    5655MQ900

Applicable component levels

  • R000 PSY UI71464

       UP20/11/02 P F010 {

  • R100 PSY UI71465

       UP20/11/02 P F010 {

  • R200 PSY UI72436

       UP20/12/08 P F012 {

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]

Document Information

Modified date:
05 January 2021