A fix is available
APAR status
Closed as program error.
Error description
HOD 14.0.1 was failing to send an empty certificate list as per the RFC5246 when Send a Certificate was set to "NO" in the client authentication. This issue was observed when connecting to a z/VM host whereas suggested in RFC5246 - The Transport Layer Security (TLS) Protocol Version 1.2: 7.4.6. Client Certificate When this message will be sent: This is the first message the client can send after receiving a ServerHelloDone message. This message is only sent if the server requests a certificate. If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero. If the client does not send any certificates, the server MAY at its discretion either continue the handshake without client authentication, or respond with a fatal handshake_failure alert. Also, if some aspect of the certificate chain was unacceptable (e.g., it was not signed by a known, trusted CA), the server MAY at its discretion either continue the handshake (considering the client unauthenticated) or send a fatal alert. Client certificates are sent using the Certificate structure defined in Section 7.4.2. References: https://tools.ietf.org/html/rfc52 46#section-7.4.4 -> Certificate Request https://tools.ietf.org/html/rfc5246#section-7.4.6 -> Client Certificate
Local fix
HOD JAR files habasen2.jar and hassln2.jar were updated to accomodate this RFC5246 scenario.
Problem summary
**************************************************************** * USERS AFFECTED: * * Host On-Demand secure connection users * **************************************************************** * PROBLEM DESCRIPTION: * * HOD fails to send an empty certificate list as per the * * RFC5246 when Send Certificate is set to NO. * **************************************************************** * RECOMMENDATION: * **************************************************************** In TN3270E session, Use JSSE = Yes and Send a Certificate = No. As per the current implementation, HOD is failing to send an empty certificate with length of Zero but PCOMM sends an empty certificate when the server requests it.
Problem conclusion
Code changes have been made to send an empty certificate with length of Zero. Fix included in IBM Host On-Demand 12.0.7, 13.0.5 and 14.0.3 Refresh Packs.
Temporary fix
Comments
APAR Information
APAR number
IT34249
Reported component name
HOD
Reported component ID
5733A5901
Reported release
E00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-09-17
Closed date
2021-05-26
Last modified date
2021-05-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
HOD
Fix information
Fixed component name
HOD
Fixed component ID
5733A5901
Applicable component levels
RC00 PSY
UP
RD00 PSY
UP
RE00 PSY
UP
[{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSS9FA","label":"IBM Host On-Demand"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"E00"}]
Document Information
Modified date:
30 August 2021