PK53555: UNABLE TO TURN OFF SSLV2 WITHOUT TURNING OFF TLSV1

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• To disable SSLV2 in the HTTP Server for z/OS, no SSLV2 cipher
  specs are coded in the SSLCipherSpecs entry in the httpd.conf
  file.  But in doing this, ONLY SSLV3 protocol will be enabled
  and TLSV1 will be disabled.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All customers who use HTTP Server 5.3 for    *
  *                 z/OS with SSL.                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: The server provides no way to enable    *
  *                      SSL connections using TLS encryption    *
  *                      without enabling SSLV2.                 *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  In the HTTP Server for z/OS, enhancement is needed to allow
  customers to enable TLSV1 without enabling SSLV2.
  

Problem conclusion

• APAR PK53555 adds configuration options to allow customers to
  enable TLSV1 in the HTTP Server without enabling SSLV2.
  In addition, APAR PK53555 adds an option to use a multiple-
  environment SSL interface, which permits more flexibility in
  the use of SSL options to LDAP servers or to other programs
  running in the same address space. The multi-environment option
  also provides a better method of enabling TLSV1 connections.
  
  The following COMPID's are affected by these changes:
  
  5697D4300 LDGW for z/OS Version 5
  
  PTF07G
  The code changes are stored in CMVC under defect 84960.
  
  PK53555 enhances the HTTP Server for z/OS to allow customers
  to enable TLSV1 in the HTTP Server without enabling SSLV2.
  The existing restart restriction is still true: You cannot
  change SSL options and have them take effect with a restart;
  that is, you must shut the server down and start it again to
  change any SSL options.
  
  In "Appendix A. Commands", under "IMWHTTPD program", under
  "flags", please replace this text:
  -sslmode  on|off
   For a secure server, turns on the SSL protocol.
  Replace it with this text:
  -sslmode  on|off|multi
   For a secure server, turns on the SSL protocol. APAR PK53555
  enables the "multi" option. Please see the "SSLMode" directive
  for details.
  
  
  In "Appendix B. Configuration directives", under "Security -
  Set up secure connections for the server", under
  "SSLCipherSpec", add the following information after "North
  American edition" after the text "30 NULL NULL":
  T1    allow TLSV1 connections only
  S3    allow SSLV3 connections only
  Note: The CipherSpecs "T1" and "S3" are not actually
  SSLCipherSpecs, but when coded in various combinations with
  other SSLCipherSpecs, they disallow the other type of
  secure connections.
  Please note that SSLV2 connections are considered less secure
  than SSLV3 or TLSV1 connections.
  To allow SSLV2 only, code only SSLV2 SSLCipherSpecs. Example:
          SSLCipherSpec 27 26
  If you code or default the "sslmode on" directive, to allow
  SSLV3 connections only, code only SSLV3 specs. Example:
          SSLCipherSpec 35 34 3A
  If you code the "sslmode multi" directive, to allow SSLV3
  connections only, code only SSLV3 specs and "S3". Example:
          SSLCipherSpec 35 34 3A S3
  To allow TLSV1 only, code only SSLV3 specs and "T1". Example:
          SSLCipherSpec 3A 39 33 36 T1
  If you code the "sslmode multi" directive, to allow both
  SSLV3 and TLSV1 but not SSLV2, code only SSLV3 specs:
          SSLCipherSpec 35 34 3A 39 33 36
  If you code or default the "sslmode on" directive, you cannot
  allow both SSLV3 and TLSV1 without enabling SSLV2.
  To allow SSLV2, SSLV3, and TLSV1, code both SSLV2 and SSLV3
  specs, but not "S3", or "T1". Example:
          SSLCipherSpec 39 3A 36 24
  Other combinations produce unpredictable results.
  
  In "Appendix B. Configuration directives", under "Security -
  Set up secure connections for the server", under
  "SSLMode - Turn SSL on or off", please replace the following
  sentence:
  "Note: If both NormalMode and SSLMode are turned off, the
  server starts in normal mode with an insecure connection."
  It should be as follows.
  "Note: If you turn off both NormalMode and SSLMode, the server
  will not start."
  Add the following information:
  The format of this directive is:
  SSLMode  off | on | multi
  APAR PK53555 enables the value "multi". This value allows you
  more flexibility in enabling TLSv1. For details, see the
  SSLCipherSpec directive. The value "multi" also allows you to
  use different keyfiles for the main server and for the
  connection to LDAP servers. It may be incompatible with the
  WebSphere Application Server plug-in, so do not code this
  option if you are using it.
  Note that the value in the "-sslmode" option on the httpd
  command or the IMWHTTPD program overrides this directive.
  
  In "APPENDIX1.2.3.8 NoLastMod - Specify whether LastModified
  HTTP headers are added to CGI program output":
  Please replace each occurence of "CGI program output" or
  "CGI output", with "CGI or GWAPI program output".
  
  In "APPENDIX1.1.7.2.3 Flags":
  Please replace "CGI output" with "CGI or GWAPI program output".
  
  In "APPENDIX1.2.12.1 Multi-Format Processing":
  Please replace this phrase:
  "and a file with that name and no suffix does not exist"
  with this slightly more comprehensible phrase:
  "and a file with that exact name, without a suffix, does not
  exist".
  
  * Cross Reference between External and Internal Names
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Modules/Macros

• IMWGSIPC IMWHTSCJ IMWHTSEC IMWJAV   IMWJJAVA
  IMWJPR   IMWLACCS IMWLACSS IMWLALRT IMWLANCR IMWLASOC IMWLASRT
  IMWLATMP IMWLATOM IMWLAUTL IMWLBAG  IMWLBTRE IMWLCHNK IMWLCKCF
  IMWLCNTR IMWLCPCV IMWLCSR  IMWLDAP  IMWLDATA IMWLDESC IMWLDRBR
  IMWLERRR IMWLFILE IMWLFMT  IMWLFPRT IMWLFTP  IMWLFTPD IMWLGOPH
  IMWLHASH IMWLICON IMWLINIT IMWLISOC IMWLLDSR IMWLLIST IMWLMLTI
  IMWLNLS  IMWLOOM  IMWLOS2S IMWLPOOL IMWLPRIO IMWLPRSE IMWLPRTU
  IMWLSCP1 IMWLSEM4 IMWLSNPL IMWLSP2  IMWLSTRG IMWLSTRM IMWLTCP
  IMWLTFPT IMWLTHD  IMWLTP   IMWLTPOL IMWLTRCE IMWLUU   IMWLVINT
  IMWLWILD IMWLWORK IMWLWRTR IMWLWUS  IMWNODPI IMWSACL  IMWSADM
  IMWSAFIL IMWSAPID IMWSAPIP IMWSAPRO IMWSARCV IMWSARGV IMWSASRV
  IMWSAUTH IMWSBOMB IMWSCACF IMWSCACH IMWSCACP IMWSCAGC IMWSCAGL
  IMWSCALO IMWSCAMA IMWSCANE IMWSCAPA IMWSCAQU IMWSCAUR IMWSCAWO
  IMWSCCHI IMWSCGPR IMWSCGUT IMWSCLC  IMWSCNTR IMWSCONF IMWSCONS
  IMWSDAPI IMWSDMDR IMWSDOGC IMWSDSTR IMWSDVAR IMWSENTY IMWSENV
  IMWSFCGI IMWSFNM  IMWSGC   IMWSGLOB IMWSGRP  IMWSHBF  IMWSHEAD
  IMWSHTHP IMWSIFMS IMWSIMGE IMWSIMS  IMWSIUMS IMWSJAPI IMWSJBE
  IMWSJCFG IMWSJTHD IMWSKILL IMWSLEX  IMWSLOAD IMWSLOG  IMWSLOOP
  IMWSLSTT IMWSMETH IMWSNS   IMWSOSMF IMWSPCA  IMWSPCSP IMWSPDB
  IMWSPERF IMWSPEV  IMWSPF   IMWSPICS IMWSPL   IMWSPRD  IMWSPROC
  IMWSPW   IMWSQUEU IMWSREQ  IMWSRLDB IMWSRNGE IMWSRSP  IMWSRSRT
  IMWSRTRC IMWSRTRV IMWSSCRP IMWSSECP IMWSSGNL IMWSSIO  IMWSSIPC
  IMWSSNMP IMWSSRC  IMWSSRER IMWSSRVR IMWSSSI  IMWSSTAT IMWSSTBD
  IMWSSTHD IMWSSUTL IMWSTASH IMWSTEC  IMWSTIMR IMWSTIMU IMWSUID
  IMWSUIDU IMWSURDB IMWSUSRI IMWYSCNT IMWYSPWD
  

Fix information

• Fixed component name

  DGW/WAS OS/390

• Fixed component ID

  5697D4300

Applicable component levels

• R53B PSY UK29919

     UP07/10/11 P F710

• R530 PSY UK29918

     UP07/10/11 P F710

• R531 PSY UK29920

     UP07/10/11 P F710

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.