IBM Support

PH18435: TLS CERTIFICATE VERIFICATION

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All TCP/IP users with TLS enabled and a need *
    *                 either to:                                   *
    *                   - authenticate a client's certificate      *
    *                   - extract fields from a certificate        *
    *                   - allow a client to verify the identity of *
    *                     a server                                 *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    Enhancements within the TCP/IP TLS/SSL server allow
    authentication of client certificates, hostname validation, and
    extraction of fields from a certificate.
    
    Client certificate authentication support allows a server to
    verify a client by examining the certificate it presents to
    ensure that it has been signed by a certificate authority the
    server trusts and that it has not expired.  The client
    authentication support that was previously added to
    dynamically secured Telnet connections has been expanded
    to the z/VM FTP and SMTP servers.  Additionally, the PORT
    statement in the TCPIP configuration file has been
    updated to allow client certificate authentication for
    statically secured connections.
    
    Host name validation support allows a client to verify the
    identity of a server by passing a string containing a host
    name, domain name, or IP address on the handshake request.
    The string will be compared to fields in the server
    certificate.  If the string is not contained in the server
    certificate, the client may decide to fail the handshake.
    
    In addition to the above support, new APIs extract fields
    from a client or server certificate.
    

Problem conclusion

Temporary fix

Comments

  • For client certificate authentication, the CLIENTCERTCHECK
    option will be used to specify if a client certificate will
    be requested and what action will be taken if authentication
    fails.  This option has been added to the SECURE statements
    in the FTP and SMTP server configuration files and also to
    the PORT statement for statically secured connections.  The
    allowable values for the CLIENTCERTCHECK option are
    NONE | PREFERRED | REQUIRED.  The default setting is
    PREFERRED which means that a client certificate will
    be requested but if authentication fails, the handshake will
    continue.  Note that IBM Host On-Demand users will need to
    configure their clients to send client certificates as the
    default or will need to add CLIENTCERTCHECK NONE to the
    INTERNALCLIENTPARMS statement in the TCPIP Config file so
    that a client certificate is not requested.
    
    New APIs will allow fields to be requested from a local or
    partner certificate.  The new APIs include a TCPSCERTDTA call
    for Pascal routines and a new SIOCGCERTDATA ioctl code for IUCV
    and C routines.
    
    For Host Name Verification, the SecureDetailType structure has
    been updated with a new Version field.  When the Version is
    set to 1, a new SecureDetailExtension can be included on a
    secure client call to specify an FQDN, host name or IP address.
    This value will be compared to the Common Name, Domain Name,
    or Subject Alternate Name extension marked as an IP address in
    the server certificate to verify the identity of the server.
    
    The z/VM Telnet client has been updated to use the new
    SecureDetailExtension.  Note that when Host Name
    Verification is enbled, values inside the server's digital
    certificate will be checked against the hostname or
    IP address of the TCP/IP stack.  Use of this option may
    potentially require new or updated digitial certificates,
    if such fields have not already been included.
    
    Refer to the updated TCP/IP Planning and Customization and
    TCP/IP Programmer's Reference for details of the above support.
    
    This APAR ships many of the TCP/IP client and server modules.
    In addition, new versions of CMS and LE (APARs VM66348 and
    VM66349) are required for the SSL server and any users that
    will be issuing the new SIOCGCERTDATA ioctl.  A restart of all
    of these clients and servers will be required.  No restart
    of z/VM itself is required.
    ×**** PE21/03/24 FIX IN ERROR. SEE APAR PH35671  FOR DESCRIPTION
    

APAR Information

  • APAR number

    PH18435

  • Reported component name

    TCP/IP FOR Z/VM

  • Reported component ID

    5735FAL00

  • Reported release

    710

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-10-23

  • Closed date

    2020-06-10

  • Last modified date

    2021-06-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI69975

Modules/Macros

  • CMCLIEN  CMCOMM   CMCONVXL CMDASDR  CMERUPT  CMFSCRN  CMHOSTN
    CMINTER  CMMAKSI  CMNETST  CMOBEY   CMPRCOM  CMRESGLB CMRESOL
    CMSOCK   CMVERT   DTCNETRC FPNOTIF  FPQUEUE  FPSCHED  FPSOCKRE
    FPTCPREQ FPTCPUP  FTMAIN   FTP      FTPROCS  FTSEVEN  FTSRVCO
    FTSRVPA  FTSUTIL  FTSVMSUB FTSYPRO  FTUTIL   F6TCPUP  HOMETEST
    LPQ      LPRM     LPRP     MSCOMM   MSCOMMON MSCONVXL MSFTP
    MSFTPC   MSHOMETE MSMAKESI MSNETSTA MSOBEY   MSSAMP   MSSMTP
    MSSMTR   MSTCP    MSTEL    MSTESTSI MSTFTP   MSTRACE  REXEC
    SMTP     SMTPCMDS SMTPEVNT SMTPGLOB SMTPQUEU SMTPRES  SMTPRPLY
    SMTPRULE SMTPSMSG SRVRFTP  SSLADMNP SSLCTLIO SSLDPUMP SSLGSKCF
    SSLMNTOR SSLREPRT SSLSCBEX SSLTRACE SSLTRSIT TCACB    TCARP
    TCBASEX  TCBASTY  TCCLIEN  TCFPSM   TCFR182  TCIPDOW  TCMIB
    TCMON    TCMPRIO  TCNOTIF  TCPARSE  TCPDOWN  TCPEQUAT TCPERUP
    TCPIP    TCPREQU  TCPRINT  TCPSSL   TCPUP    TCQDIO   TCQUEUE
    TCSHUT   TCSKCB   TCSOCKC  TCSOCKRE TCTCB    TCTOATM  TCTOCTC
    TCTOHPPI TCTOOSD  TCUDPRE  TCUTIL   TFPARSE  TFUTIL   TNSTMAS
    TNUTMAS  T6PREQU  T6PSSL   T6SOCKRE T6UDPRE
    

Publications Referenced
GC24632801GC24633003SC24633104SC24633203SC24633303

Fix information

  • Fixed component name

    TCP/IP FOR Z/VM

  • Fixed component ID

    5735FAL00

Applicable component levels

  • R710 PSY UI69975

       UP20/06/16 P 2101

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27N"},"Platform":[{"code":"PF054","label":"z/OS"}],"Version":"710"}]

Document Information

Modified date:
30 June 2021