A fix is available
APAR status
Closed as program error.
Error description
This APAR is to Allow the MQ for z/OS server to tolerate these TLS 1.0 handshakes that begin with an SSLv2 handshake. This will not allow real SSLv2 connections to be established, but will stop blocking the initial handshake before it is upgraded to TLS 1.0. It will require a customer CHISERVP parameter to be enabled on all affected queue managers to enable this behaviour. TLS 1.0 itself is a twenty-two year old protocol which has this year been deprecated by the Internet Engineering Task Force (IETF) so we would still advocate that any customer using the toleration PTF will still make plans to upgrade affected systems when possible.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 0 Modification 0, Release 1 * * Modification 0 and Release 2 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: TLS 1.0 connections may be blocked * * when using clients/QMGRs which send an * * initial SSLv2 handshake. * **************************************************************** As an insecure and outdated protocol, support for SSLv2 has previously been removed from MQ, and as a result any handshake identified as SSLv2 will be terminated. TLS1.0 handshakes from older clients/QMGRs may begin with an SSLv2 handshake, as noted by RFC2246.
Problem conclusion
A CHISERVP has been implemented to temporarily allow an SSLv2 hello at the beginning of a TLS1.0 handshake. This allows TLS1.0 connections from older clients/QMGRs to succeed until the affected clients have been updated to a supported release. CSQX680I is issued when a connection is established using an SSLv2 hello. CSQX680I Connection <remote IP and host> made to channel <local channel> using an SSLv2 hello Severity 0 Explanation A connection has been made to a local channel using an SSLv2 hello. This function has been temporarily re-enabled by a service parameter, and should only be used under IBM Service direction until the client software can be upgraded. System action No action. This message is informational only.
Temporary fix
Comments
APAR Information
APAR number
PH41815
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
200
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-11-02
Closed date
2022-05-09
Last modified date
2023-12-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI78826 UI78827 UI78828 UI78829 UI78830 UI78831 UI78871 UI78872
UI78873 UI78874 UI78875 UI78876 UI78877 UI78878 UI78879 UI78880
UI78881
Modules/Macros
CMQXRMSA CSQFXLAT CSQFXTXC CSQFXTXE CSQFXTXF CSQFXTXK CSQFXTXU CSQXCCCX CSQXCCIS
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
R201 PSY UI94332
UP23/11/15 P F311
R202 PSY UI94333
UP23/11/15 P F311
R203 PSY UI94334
UP23/11/15 P F311
R204 PSY UI94335
UP23/11/15 P F311
R205 PSY UI94336
UP23/11/15 P F311
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"200","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 December 2023