A fix is available
APAR status
Closed as new function.
Error description
VSE/POWER PNET SSL supports the following ciphers only: 01, 02, 08, 09, 0A, 2F, 35 TCP/IP for z/VSE and OPEN SSL support more secure ciphers.. VSE/POWER PNET SSL should support all available ciphers
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of PNET SSL * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** VSE/POWER PNET SSL supports the following ciphers only: 01, 02, 08, 09, 0A, 2F, 35 Most of these ciphers are deprecated VSE/POWER needs to support all ciphers available.
Problem conclusion
Temporary fix
Comments
PNODE macro code changes: new CIPHERS operand is added with a length of 20 hexadecimal characters for a remote SSL node. New table with characters 0-9 and A-F has been added to verify input format. In DSECT NTHDS new field NDTCIPH uses 20 byte of storage after existing field NDTKEYM, leaving 2F reserved for future use. Code to verify CIPHERS input is added after CRYP90. Internal variable &CIPHS is set to blanks (20), then the following checks are done: 1. if CIPHERS omitted continue with next operand 2. if Local Node is true, report error #1 and ignore entry 3. if neither SSL Hostname or SSL Host Address are specified, report error #2 4. if input is too long, report error #3 5. if input is not hexadecimal, report error #4 After successful check &CIPHS is set to &CIPHERS and copied into PNODE DSECT for remote node. ENCRYPT operand is excluded and code in section CRYP10 is replaced by MNOTE 3,' ENCRYPT PARAMETER IGNORED '. . IPW$$SD module code changes: the ciphers list used for starting SSL connection to a remote node is retrieved from the CIPHERS operand of PNODE macro, or (if the operand is omitted) it is obtained from the local TCPIP SSL stack. after TDINITAS socket call GSKGETCIPHINFO was added after successful return retrieved ciphers are stored in local save area (104 byte) before SDSSLSI0 in routine for SSL-INIT insert code which checks NDTCIPH > x40. If CIPHERS specified, copy them to NCBSSLCC and remove trailing blanks. Otherwise copy saved local ciphers. after SDSSLSIN remove superfluous check for matching ciphers . IPW$$CI module code changes: after PINQP89D skip display of ENCRYPT after INQP89D2 show agreed cipher as 4 character field after OWN184 skip display of message line 1R56I CIPHERS: STRONG=... NORMAL=... WEAK=... and to show agreed cipher as 4 character field. IPW$$DT module code changes: At DTLVAPAR insert new levelset information The PTF for this APAR supersedes all previous VSE/POWER PTFS and will show a new VSE/POWER level in SIR output and PDISPLAY STATUS. . Update for VSE/POWER Administration and Operation SC34-2743-00 Chapter 2. Tailoring VSE/POWER, PNODE Generation Macro for Networking Support Add ",SECTYPE=TLSV1", ",SECTYPE=TLSV1.2" and ",SECTYPE=TLSV1.3" to Format 1:Defining the Local Node Remove the ENCRYPT operand from the syntax diagram in the section Format 5: Defining a Directly Linked SSL Node Insert the CIPHERS operand into the syntax diagram in the section Format 5: Defining a Directly Linked SSL Node: -------------------------------- | | +---,CIPHERS=hexstring---+ Remove the description of the ENCRYPT operand in the section "Operands of the PNODE macro": Add the description of the CIPHERS operand into the section "Operands of the PNODE macro": CIPHERS=hexstring The operand defines the list of ciphers that you want to use for the connection to this remote SSL node in the order of usage preference. The list can totally contain up 20 hexadecimal characters, and ciphers must be supported by the SSL implementaton. Ciphers describe the SSL encryption technique, key size and message authentication code (MAC). If the CIPHERS operand is omitted, the list of ciphers is obtained from the SSL implementation. Server and client agree upon the first match within their lists. The operand is applicable for a directly linked SSL node only. For details, see z/VSE TCP/IP Support. Change text for operand SECTYPE=TLSV1|type of security protocol ...Currently, 'SSL30' for SSL Version 3.0, 'TLSV1' for TLS Version 1.0, 'TLSV1.2' for TLS version 1.2 and 'TLSV1.3' for TLS Version 1.3 are supported. ... Chapter 4. VSE/POWER Operator Commands PINQUIRE: Requesting Remote Status Information - Examples of Remote Status Information" Example 5: I NODE=own-node Figure 64: Remove line 1R56I CIPHERS: STRONG=X'0A62' NORMAL='09' WEAK='080102' In Explanation remove matching part Example 6: I NODE=remote-node with SSL Change line 1R56I LOCAL NODE IS ACTING AS CLIENT,ENCRYPT=NORMAL,CIPHER=X'09' to 1R56I LOCAL NODE IS ACTING AS CLIENT,CIPHER=X'0009' Change line 1R56I LOCAL NODE IS ACTING AS SERVER,ENCRYPT=NORMAL,CIPHER=X'09' to 1R56I LOCAL NODE IS ACTING AS SERVER,CIPHER=X'0009' Change explanation to 1R56I LOCAL NODE IS ACTING AS CLIENT|SERVER, CIPHER=X'0009' The command displays the used cipher (CIPHER=).
APAR Information
APAR number
DY47842
Reported component name
VSE/POWER
Reported component ID
5686VS603
Reported release
62C
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-10-28
Closed date
2021-01-04
Last modified date
2021-09-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UD54390 UD54391
Modules/Macros
IPW$$CI IPW$$DT IPW$$I2 IPW$$I3 IPW$$LW IPW$$SD IPW$$XJ IPW$$XWE IPW$DEF PNODE
Fix information
Fixed component name
VSE/POWER
Fixed component ID
5686VS603
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG32M"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"62C"}]
Document Information
Modified date:
10 September 2021