A fix is available
APAR status
Closed as program error.
Error description
During SSL Handshake processing, customer intermittently receives message DFHSO0123 reporting error code 446 - GSK_ERR_TLS_EXTENSION_MISMATCH. CICS handles this as a severe error and produces a DFHSO0002 (code x'080C') dump. The 446 error code indicates a client is trying to communicate with CICS using a higher level of TLS than is supported by this CICS region. In this scenario, the CICS region is running with ENCRYPTION(WEAK) coded in the DFHSIT which allows only the lowest level of TLS 1.0. CICS should treat this as a soft error and not produce a DFHSO0002 dump. Additional Symptom(s) Search Keyword(s): KIXREVDAM GSK ERR TLS EXTENSION MISMATCH
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: DFHSO0002 is issued when SSL fails with * * GSK_ERR_TLS_EXTENSION_MISMATCH * * (response code 446). * **************************************************************** * RECOMMENDATION: * **************************************************************** CICS is setup with SSL. A client connects to CICS using a higher level of TLS than is supported by the CICS region. This causes the socket initialization failed with gsk response code 446 (GSK_ERR_TLS_EXTENSION_MISMATCH). CICS treats code 446 as a severe error and issues message DFHSO0123 to report it. In addition, DFHSO0002 is issued with a system dump. Response code 446 should be treated as a client side error, message DFHSO0002 and the system dump is unnecessary for this type of error. Additional Keywords: msgDFHSO0123 SO0123 msgDFHSO0002 SO0002
Problem conclusion
DFHSOSE has been changed to only issue message DFHSO1023 with the correct description, when gsk returns response code 446. The DFHSO0002 is not issued and a system dump is not taken. CICS Transaction Server for z/OS Version 4 Release 1 CICS Messages and Codes, GC34-7035-03 has amended the description of message DFHSO0123. Change the line "Export restriction}." to "Export restriction | TLS version mismatch}." Change the line "46=Export restriction" to "46=Export restriction, 47=TLS version mismatch". CICS Transaction Server for z/OS Version 4 Release 2 CICS Messages and Codes Vol 2, GC34-7176-01 has amended the description of message DFHSO0123. Change the line "Export restriction}." to "Export restriction | TLS version mismatch}." Change the line "46=Export restriction" to "46=Export restriction, 47=TLS version mismatch".
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI38964
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-04-13
Closed date
2015-08-07
Last modified date
2015-09-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI44136 UI30066 UI30067
Modules/Macros
DFHMESOC DFHMESOE DFHMESOK DFHSOSE DFH38964
GC34703503 | GC34717601 |
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 September 2015