PH45902: NEW FUNCTION - Add AT-TLS support for x25519/x448 and limiting key exchange elliptic curves for TLSv1.2 and earlier

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• New function - Add AT-TLS support for x25519/x448 and limiting
  key exchange elliptic curves for TLSv1.2 and earlier
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All users of the IBM Communications Server for z/OS Version  *
  * 2 Release 5 IP: AT-TLS                                       *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * NEW FUNCTION - AT-TLS support for x25519 and x448  key       *
  * exchange curves for TLSv1.0, TLSv1.1 and TLSv1.2             *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply PTF                                                    *
  ****************************************************************
  

Problem conclusion

• AT-TLS has been enhanced to allow the x25519 and x448 elliptic
  curves to be used for TLSv1.0, TLSv1.1, and TLSv1.2 negotiated
  connections.
  
  AT-TLS has also been enhanced to give TLS servers the ability to
  limit the elliptic curves chosen for TLSv1.0, TLSv1.1, and
  TLSv1.2 key  exchanges. A new AT-TLS parameter ServerKexECurves
  is added on the TTLSSignatureParms statement.
  
  For documentation updates, including the syntax for the new
  Policy Agent parameter ServerKexECurves, consult the following:
  https://www.ibm.com/support/pages/node/6595143
  
  The PTF for System SSL APAR OA61783 must be installed before or
  concurrently with this PTF.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI81370

Modules/Macros

• EZAPATPL EZAPAZPE EZACDTNE EZAPAPPS EZAPAPP  EZAPAPPR EZAPAESE
  EZAPALDP EZAPAZPK EZAPAPDP EZAPABMG EZAPAPDM EZACDDNE EZAPAPLD
  EZAPATTL EZAPATID EZAPATMG EZADLPAP EZBDGDAT EZAPAACT EZAPADAT
  EZAPATMP EZAPACOL EZAPAJMG EZAPACOM EZAPARMG EZAPAPRP EZBTLRTN
  EZAPAUTL EZACDONE EZAPAPRT EZAPAPNT EZAPATRT EZBDGTLS EZAPAPNS
  EZAPAAMG EZAPAETL EZAPAPRD EZAPACLT EZAPAUTI EZAPAPGN EZAPAEZP
  EZACDNE6 EZACDNE1 EZAPAEMG EZACDNE0 EZACDNE2 EZAPAIMG EZACDNM6
  EZAPATSE EZAPAPSH
  

Fix information

• Fixed component name

  TCP/IP MVS

• Fixed component ID

  5655HAL00

Applicable component levels

• R250 PSY UI81370

     UP22/08/02 P F208  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.