OA59074: SSL/TLS SERVER CONNECTION FAILING WITH RC 402 WHEN MIGRATING TO Z/OS V2.4

A fix is available

APAR status

Closed as program error.

Error description

When running on z/OS V2.4, a prior working connection to a
System SSL server is now failing. This occurs because the client
is sending a SSL V2 client hello message along with
supporting one or more higher protocol versions and the server
supports SSL V3 or TLS (V1.0, V1.1, V1.2). z/OS System SSL
server fails the connection with RC 402 (GSK_ERR_NO_CIPHERS)
from gsk_secure_socket_init().

Return code 510 (GSK_ERR_NO_KEY_LABEL_LIST_MATCH) from
gsk_secure_socket_init() may be returned if the server also has
specified a list of server certificate labels to be used when
receiving the SSL V2 client hello.

ANALYSIS:
Job xxxxxxxx   Process 0004012A  Thread 00000001
read_v2_client_hello_as_v3
SSL V2 CLIENT-HELLO message

  00000000: 01030100 36000000 1000C014 00C01300
*....6...........*
  00000010: 00390000 33000035 00002F00 C00A00C0
*.9..3..5../.....*
  00000020: 09000038 00003200 000A0000 13000005
*...8..2.........*
  00000030: 00000400 00020100 800700C0 0000FFC1
*................*
  00000040: E2B80946 CC9F3E72 C8F7F4B5 381395
*...F..>r....8.. *

...

Job xxxxxxxx   Process 0004012A  Thread 00000001  edit_ciphers
SSL V3 cipher specs: 0035

Job xxxxxxxx   Process 0004012A  Thread 00000001
read_client_hello_cipher_select
No intersection with client cipher suites

Local fix

BYPASS/CIRCUMVENTION:
Disable SSL V2 for the client

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* System SSL V2R4 SSL/TLS server applications                  *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* When moving to z/OS V2.4, a prior                            *
* working connection to a System SSL                           *
* server is now failing with return code                       *
* 402 (GSK_ERR_NO_CIPHERS) from                                *
* gsk_secure_socket_init() or -1                               *
* (GSK_ERROR_NO_CIPHERS) from                                  *
* gsk_secure_soc_init(). This error                            *
* occurs due to the System SSL server                          *
* not properly comparing ciphers  when                         *
* the client has sent a SSL V2 style                           *
* client hello message and a SSL V3                            *
* or higher protocol is being                                  *
* negotiated.                                                  *
*                                                              *
* Return code 510                                              *
* (GSK_ERR_NO_KEY_LABEL_LIST_MATCH) from                       *
* gsk_secure_socket_init() may be                              *
* returned if the server has also                              *
* specified a list of server certificate                       *
* labels to be used when receiving                             *
* the client hello message.                                    *
****************************************************************
* RECOMMENDATION:                                              *
* APPLY PTF                                                    *
****************************************************************
In V2R4, consolidation of code was done which resulted in the
ciphers in the SSL V2 client hello message not being parsed
correctly when a SSL V3 or higher protocol was being
negotiated for the connection. The ciphers specified in a
SSL V2 client hello message are 3 bytes in length.  The cipher
comparison code was treating the 3 byte ciphers as 2 bytes
which resulted in no cipher value being in common between the
server and client.

Problem conclusion

When processing the SSL V2 client hello message, the code has
been updated to recognize the 3 byte cipher lengths and perform
correct cipher comparisons.

Temporary fix

Comments

APAR Information

APAR number
OA59074
Reported component name
SYSTEM SSL
Reported component ID
565506805
Reported release
440
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-02-13
Closed date
2020-03-30
Last modified date
2020-05-02

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

UJ02508 UJ02509

Modules/Macros

GSKCMS31 GSKCMS64 GSKS31F  GSKS64F  GSKS31   GSKS64

Fix information

Fixed component name
SYSTEM SSL
Fixed component ID
565506805

Applicable component levels

R440 PSY UJ02508
UP20/04/16 P F004
R441 PSY UJ02509
UP20/04/16 P F004

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z Systems"}],"Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
04 May 2020

Tips

OA59074: SSL/TLS SERVER CONNECTION FAILING WITH RC 402 WHEN MIGRATING TO Z/OS V2.4

A fix is available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R440 PSY UJ02508

R441 PSY UJ02509

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?