PH41815: SSLV2 HANDSHAKE REJECTED - CSQX207E(INVALID DATA RECEIVED)

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• This APAR is to Allow the MQ for z/OS server to tolerate these
  TLS 1.0 handshakes that begin with an SSLv2 handshake. This
  will not allow real SSLv2 connections to be established, but
  will stop blocking the initial handshake before it is upgraded
  to TLS 1.0. It will require a customer CHISERVP parameter to be
  enabled on all affected queue managers to enable this behaviour.
  
  TLS 1.0 itself is a twenty-two year old protocol which has this
  year been deprecated by the Internet Engineering Task Force
  (IETF) so we would still advocate that any customer using the
  toleration PTF will still make plans to upgrade affected
  systems when possible.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
  *                 Release 0 Modification 0, Release 1          *
  *                 Modification 0 and Release 2 Modification 0. *
  ****************************************************************
  * PROBLEM DESCRIPTION: TLS 1.0 connections may be blocked      *
  *                      when using clients/QMGRs which send an  *
  *                      initial SSLv2 handshake.                *
  ****************************************************************
  As an insecure and outdated protocol, support for SSLv2 has
  previously been removed from MQ, and as a result any handshake
  identified as SSLv2 will be terminated.
  TLS1.0 handshakes from older clients/QMGRs may begin with an
  SSLv2 handshake, as noted by RFC2246.
  

Problem conclusion

• A CHISERVP has been implemented to temporarily allow an SSLv2
  hello at the beginning of a TLS1.0 handshake.
  This allows TLS1.0 connections from older clients/QMGRs to
  succeed until the affected clients have been updated to a
  supported release.
  
  CSQX680I is issued when a connection is established using an
  SSLv2 hello.
  
  CSQX680I
  Connection <remote IP and host> made to channel <local channel>
  using an SSLv2 hello
  Severity
  0
  Explanation
  A connection has been made to a local channel using an SSLv2
  hello.
  
  This function has been temporarily re-enabled by a service
  parameter, and should only be used under IBM Service direction
  until the client software can be upgraded.
  
  System action
  No action. This message is informational only.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI78826 UI78827 UI78828 UI78829 UI78830 UI78831 UI78871 UI78872
  UI78873 UI78874 UI78875 UI78876 UI78877 UI78878 UI78879 UI78880
  UI78881

Modules/Macros

• CMQXRMSA CSQFXLAT CSQFXTXC CSQFXTXE CSQFXTXF CSQFXTXK CSQFXTXU
  CSQXCCCX CSQXCCIS
  

Fix information

• Fixed component name

  IBM MQ Z/OS V9

• Fixed component ID

  5655MQ900

Applicable component levels

• R201 PSY UI94332

     UP23/11/15 P F311

• R202 PSY UI94333

     UP23/11/15 P F311

• R203 PSY UI94334

     UP23/11/15 P F311

• R204 PSY UI94335

     UP23/11/15 P F311

• R205 PSY UI94336

     UP23/11/15 P F311

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.