IBM Support

PJ40883: SSL HANDSHAKE FAIL WITH Z/OS

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • See Problem Summary.
    

Local fix

  • na
    

Problem summary

  • APAR NUMBER:  PJ40883
    PRODUCT:  z/TPF
    FUNCTIONAL AREA:  MQS SUPPORT
    SHIPPED IN PUT:  10
    
    ABSTRACT:
    With PJ34481, zTPF WebSphere MQ SSL handshake may fail when a
    z/OS sender/client channel connects to z/TPF
    
    PACKAGE CONTENTS:
    Source Segments:
    (C) base/include/tpf/i_ecb3.h
    (C) base/macro/ieqce3.mac
    (C) base/openssl/crypto/x509v3/v3_purp.c
    (C) base/openssl/include/tpf/i_issl.h
    (C) base/openssl/ssl/ssl_lib.c
    (C) base/openssl/tpfssl/csslwb.c
    
    Object Only Binaries:
    (C) base/oco/lib/libCMQO.so
    (C) base/oco/load/CMQO.so
    
    Configuration Independent Binaries:
    (C) base/openssl/lib/libCRYP.so
    (C) base/openssl/lib/libCSSL.so
    (C) base/openssl/load/CRYP.so
    (C) base/openssl/load/CSL2.so
    (C) base/openssl/load/CSSL.so
    (C) base/openssl/obj/csslwb.o
    (C) base/openssl/obj/ssl_lib.o
    (C) base/openssl/obj/v3_purp.o
    
    Support Files:
    base/openssl/lst/csslwb.lst
    base/openssl/lst/CRYP.map
    base/openssl/lst/CSL2.map
    base/openssl/lst/CSSL.map
    base/openssl/lst/ssl_lib.lst
    base/openssl/lst/v3_purp.lst
    
    OTHER BINARIES TO BUILD: YES
    (C) os390/bin/ppcp.pds
    (C) os390/bin/tpfldr.pds
    (C) os390/obj/ccmcdc.o
    (C) os390/obj/genfil.o
    (C) os390/obj/stpp.o
    COMMENTS:
    When a z/OS sender or client channel (SSL client) is started
    using SSL, connecting to a z/TPF receiver/svrconn channel (SSL
    server) may result in the following errors:
    on z/TPF:
    MQSC0362E START CHANNEL channelname FAILED - SSL HANDSHAKE
    ERROR - SSL_connect SSLRC = 5 - SSL_ERROR_SYSCALL, sock_errno 0
    
    on z/OS:
    CSQX620E: csect-name System SSL error, channel channel-name,
    function  gsk_secure_socket_init' RC=410
    When a z/OS sender/client channel using SSL connects to z/TPF
    receiver/svrconn channel, an SSL client-authenticated handshake
    is initiated. z/TPF sends a CertificateRequest to the SSL
    client, however, the list of certificate authorities in this
    request is blank. z/OS expects a list of certificates that
    contain the distinguished names of acceptable certificates that
    the SSL server will accept.
    In addition, an SSL client-authenticated handshake fails if the
    certificate supplied by the z/OS client cannot be used for the
    specified purpose. If the certificate has a type of "SSL
    Server", the z/TPF server rejects the certificate, during
    SSL_accept() processing, with a X509_V_ERR_INVALID_PURPOSE
    return code (26), which indicates that the supplied certificate
    cannot be used for the specified purpose.
    

Problem conclusion

  • SOLUTION:
    z/TPF WebSphere MQ sender channels have been updated to
    generate a list of certificate authorities to send to the
    client based on the CAINFO parameter of the z/TPF WebSphere MQ
    configuration file for SSL.
    Program v3_purp.c in the OpenSSL load module CRYP has been
    modified to bypass the certificate check that causes an SSL
    client-authenticated handshake to fail when MQ is the SSL
    application to issue an SSL_accept() function.
    
    COREQS: NO
    None.
    
    MIGRATION CONSIDERATIONS: NO
    None.
    
    BUILD COMMANDS AND INSTRUCTIONS: YES
    #maketpf commands for linux
    maketpf -f CRYP v3_purp.o
    maketpf -f CSSL ssl_lib.o
    maketpf -f CSL2 csslwb.o
    maketpf CRYP link
    maketpf CSSL link
    maketpf CSL2 link
    #maketpf commands for z/OS
    maketpf -f tpfldr genfil.o
    maketpf -f ppcp ccmcdc.o stpp.o
    maketpf tpfldr link
    maketpf ppcp link
    
    UPDATED INFORMATION UNITS: YES
    z/TPF Security
    
    See your IBM representative if you need additional information.
    
    DOWNLOAD INSTRUCTIONS:
    http://www.ibm.com/software/htp/tpf/maint/maintztpf.html
    
    APAR URL:
    http://www.ibm.com/software/htp/tpf/ztpfmaint/put10/PJ40883.htm
    

Temporary fix

Comments

APAR Information

  • APAR number

    PJ40883

  • Reported component name

    Z/TPF

  • Reported component ID

    5748T1501

  • Reported release

    110

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2013-03-11

  • Closed date

    2013-06-28

  • Last modified date

    2013-06-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Publications Referenced
SK2T8062        

Fix information

  • Fixed component name

    Z/TPF

  • Fixed component ID

    5748T1501

Applicable component levels

  • R110 PSY

       UP



Document information

More support for: TPF
z/TPF

Software version: 110

Reference #: PJ40883

Modified date: 28 June 2013