A fix is available
APAR status
Closed as program error.
Error description
A client is trying to communicate to MQ using SSL/TLS security but is receiving the following messages: CSQX053E cpf CSQXFFST Error information recorded in CSQSNAP data set CSQX207E cpf CSQXRESP Invalid data received, connection xxxxxx (ip address) (queue manager ????) TRPTYPE=TCP CSQX504E cpf CSQXRESP Local protocol error, channel type=0000000B data=00000000 MQ parses incoming SSL/TLS client hellos in ccxGetConvType to extract details about the protocols and ciphers being proposed by the client. The problem in this instance is the supported_versions TLS extension. In the customer client hello, the extension contains 3 supported versions - TLS1.2 (0x0303), TLS1.1 (0x0302) and TLS1.0 (0x0301). MQ for z/OS doesn't support TLS1.1, and the supported version parsing code in ccxGetConvType doesn't handle it, and instead treats it as an invalid version.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 2 Modification 0 and * * Release 3 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: Error messages CSQX053E: * * CSQX053E: * * 'CSQXFFST Error information recorded * * in CSQSNAP data set', * * CSQX207E: * * 'CSQXRESP Invalid data received' * * and * * CSQX504E: * * 'CSQXRESP Local protocol error' * * are issued when a TLS client includes * * TLS1.1 in the SupportedProtocols * * extension of the ClientHello. * **************************************************************** During the initial TLS handshake between a client and the channel initiator, the client provided a SupportedProtocols extension containing several proposed Protocol levels, including TLS 1.1, in the ClientHello The channel initiator processed the extension, and incorrectly determined that the extension was invalid because MQ does not support TLS 1.1.
Problem conclusion
ClientHello processing will now correctly handle a SupportedProtocols extension containing TLS 1.1 as a proposed Protocol. Subsequent processing will correctly cause the TLS handshake to fail unless a valid support Protocol was also proposed.
Temporary fix
Comments
APAR Information
APAR number
PH52131
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
200
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-01-24
Closed date
2023-08-18
Last modified date
2023-11-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI93241 UI93242
Modules/Macros
CSQXCCCX
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"200","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
01 November 2023