A fix is available
APAR status
Closed as program error.
Error description
In a URIMAP definition, the CIPHERS attribute can be either - a string of 2-digit cipher suite codes. - the name of the SSL cipher suite specification file . If you define use the string of 2 digit codes, it works. But, if you point to the file, it fails. . Trace shows that ciphers should used. SO 0201 SOCK ENTRY FUNCTION(SET_SOCKET_OPTS) TCP_NODELAY(YES) SOCKET_TOKEN(0100000E) SSL(YES) CIPHER_COUNT(D) . But, the response shows that no ciphers were selected. SO 0802 SOSE EXIT FUNCTION(SECURE_SOC_INIT) RESPONSE(EXCEPTION) REASON(CONNECTION_CLOSED) GSK_RETURN_CODE(1A4) CERTIFICATE_USERID() CIPHER_SELECTED() CIPHER_NAME(TLS_NULL_WITH_NULL_NULL) . The problem only happens when and outbound connection to a proxy server is being used. When using SSL, CICS first has to communicate with the proxy unencrypted and then switch the session to SSL to communicate with the desired end server. When switching to SSL, DFHWBCL fails to pass the cipher list token to sockets domain. This causes the SSL handshake process performed by CICS to believe that a ciphers file was not used. Additional Symptom(s) Search Keyword(s): KIXREVRJL . The following symptoms have also been seen: 080C SOSE *EXC* - SYSTEM_SSL_ERROR GSK_RESPONSE(GSK_ERR_NO_CIPHERS) FUNCTION(SECURE_SOC_INIT) RESPONSE(EXCEPTION) REASON (CLIENT_ERROR) GSK_RETURN_CODE(192) CERTIFICATE_USERID() CIPHER_SELECTED() . DFHSO0123 Return code 402 received from function 'gsk_secure_socket_init': No common ciphers negotiated.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: * * DFHSO0123 Return code 402 received from function * * 'gsk_secure_socket_init': No common ciphers negotiated. * **************************************************************** * RECOMMENDATION: * * . * **************************************************************** An attempt is made to make an outbound HTTP request using SSL via a proxy. The URIMAP resource specifies a cipher file. After establishing an unencrypted session with the proxy, CICS switches to use SSL for connecting with the remote server. However, when the DFHSOCK SET_SOCKET_OPTS call is made the cipher block token for the ciphers loaded from the cipher file is not passed. As a consequence the SSL handshake fails with a GSK_RESPONSE of GSK_ERR_NO_CIPHERS (402 or '192'x) and message DFHSO0123 is issued. Additional keywords: msgDFHSO0123 SO0123 SECURE_SOC_INIT
Problem conclusion
DFHWBCL has been modified to pass the wbo_cipher_token, if present, on the DFHSOCK SET_SOCKET_OPTS call made to switch the session to SSL. DFHSOCK SET_SOCKET_OPTS has been updated to accept this parameter and call set_cipher_token on the socket if supplied.
Temporary fix
Comments
APAR Information
APAR number
PI65260
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-07-01
Closed date
2016-11-11
Last modified date
2016-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI69104 UI42525 UI42526
Modules/Macros
DFJ@H360
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 December 2016