z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


gsk_secure_socket_init()

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Initializes a secure socket connection.

Format

   #include <gskssl.h>

   gsk_status gsk_secure_socket_init(
                                      gsk_handle     soc_handle)

Parameters

soc_handle
Specifies the connection handle returned by the gsk_secure_socket_open() routine.

Results

The function return value will be 0 (GSK_OK) if no error is detected. Otherwise, it will be one of the return codes listed in the gskssl.h include file. These are some possible errors:
[GSK_CERTIFICATE_NOT_AVAILABLE]
No certificates available.
[GSK_ERR_BAD_EC_PARAMS]
EC parameters not supplied.
[GSK_ERR_BAD_CERT]
Certificate is not valid.
[GSK_ERR_BAD_DATE]
Certificate is not valid yet or is expired.
[GSK_ERR_BAD_KEYFILE_LABEL]
The specified key is not found in the key database or the key is not trusted.
[GSK_ERR_BAD_MAC]
Message verification failed.
[GSK_ERR_BAD_MESSAGE]
Incorrectly-formatted message received from peer application.
[GSK_ERR_BAD_MSG_LEN]
Incorrectly-formatted TLS extension data contained within message received from peer application.
[GSK_ERR_BAD_PEER]
Peer application has violated the SSL protocol.
[GSK_ERR_BAD_SIG_ALG_PAIR]
Signature algorithm pairs list is not valid.
[GSK_ERR_BAD_V2_CIPHER]
SSL V2 cipher is not valid.
[GSK_ERR_BAD_V3_CIPHER]
SSL V3 cipher is not valid.
[GSK_ERR_BAD_V3_EXPANDED_CIPHER]
SSL V3 expanded cipher is not valid.
[GSK_ERR_CERT_VALIDATION]
Certificate validation error.
[GSK_ERR_CERTIFICATE_REVOKED]
Peer certificate is revoked.
[GSK_ERR_CRYPTO]
Cryptographic error detected.
[GSK_ERR_EC_PARAMETERS_NOT_SUPPLIED]
EC parameters not supplied.
[GSK_ERR_ECURVE_NOT_FIPS_APPROVED]
Elliptic Curve not supported in FIPS mode.
[GSK_ERR_ECURVE_NOT_SUPPORTED]
Elliptic Curve is not supported.
[GSK_ERR_INCOMPATIBLE_KEY]
Certificate key is not compatible with cipher suite.
[GSK_ERR_ICSF_CLEAR_KEY_SUPPORT_NOT_AVAILABLE]
Clear key support not available due to ICSF key policy.
[GSK_ERR_ICSF_FIPS_DISABLED]
ICSF PKCS #11 services are disabled.
[GSK_ERR_ICSF_NOT_AVAILABLE]
ICSF services are not available.
[GSK_ERR_ICSF_NOT_FIPS]
ICSF PKCS #11 not operating in FIPS mode.
[GSK_ERR_ICSF_SERVICE_FAILURE]
ICSF callable service returned an error.
[GSK_ERR_INCORRECT_KEY_ATTRIBUTE]
TKDS Private Key attributes do not support digital signature or RSA operation.
[GSK_ERR_INVALID_FRAGMENT_LENGTH]
An unsupported fragment length was received.
[GSK_ERR_IO]
I/O error communicating with peer application.
[GSK_ERR_LDAP]
An LDAP error is detected.
[GSK_ERR_LDAP_NOT_AVAILABLE]
The LDAP server is not available.
[GSK_ERR_MISSING_KEY_ALGORITHM]
Certificate key algorithm is not in signature algorithm pairs list.
[GSK_ERR_MISSING_SIGNATURE_ALGORITHM]
Signature algorithm is not in signature algorithm pairs list.
[GSK_ERR_MULTIPLE_DEFAULT]
Multiple keys are marked as the default.
[GSK_ERR_MULTIPLE_LABEL]
Multiple certificates exist for label.
[GSK_ERR_NO_CERTIFICATE ]
No certificate received from partner.
[GSK_ERR_NO_CIPHERS]
No cipher specifications.
[GSK_ERR_NO_PRIVATE_KEY]
Certificate does not contain a private key or the private key is unusable.
[GSK_ERR_NON_SUITE_B_CERTIFICATE]
Certificate does not meet Suite B requirements.
[GSK_ERR_SECURE_LABEL_OPERATION_UNSUPPORTED]
A secure private key cannot be used with a fixed ECDH key exchange.
[GSK_ERR_SELF_SIGNED]
A self-signed certificate cannot be validated.
[GSK_ERR_SIGNATURE_NOT_SUPPLIED]
Signature not supplied.
[GSK_ERR_SOCKET_CLOSED]
Socket connection closed by peer application.
[GSK_ERR_RNG]
Error encountered when generating random bytes.
[GSK_ERR_UNKNOWN_CA]
A certification authority certificate is missing.
[GSK_ERR_UNRECOGNIZED_NAME]
The requested server name is not recognized.
[GSK_ERR_UNSUPPORTED]
SSL protocol or certificate type is not supported.
[GSK_ERR_UNSUPPORTED_CERTIFICATE_TYPE]
The certificate type is not supported by System SSL.
[GSK_ERR_UNSUPPORTED_REQUIRED_EXTENSION]
A required TLS extension has been rejected.
[GSK_ERR_UNSUPPORTED_EXTENSION]
An unrequested TLS Extension has been encountered.
[GSK_INSUFFICIENT_STORAGE]
Insufficient storage is available.
[GSK_INVALID_HANDLE]
The connection handle is not valid.
[GSK_INVALID_STATE]
The connection is not in the open state or a previous initialization request has failed.
[GSK_RSA_TEMP_KEY_PAIR]
Unable to generate temporary RSA public/private key pair.
[GSK_WOULD_BLOCK_READ]
An attempt to read a handshake message failed with EWOULDBLOCK.
[GSK_WOULD_BLOCK_WRITE]
An attempt to write a handshake message failed with EWOULDBLOCK.

Usage

The gsk_secure_socket_init() routine initializes a secure socket connection created by the gsk_secure_socket_open() routine. After the connection has been initialized, it can be used for secure data transmission using the gsk_secure_socket_read() and gsk_secure_socket_write() routines. The gsk_secure_socket_close() routine should be called to close the connection when it is no longer needed. The gsk_secure_socket_close() routine should also be called if an error is returned by the gsk_secure_socket_init() routine.

Before calling the gsk_secure_socket_init() routine, the application must create a connected socket and store the socket descriptor in the SSL connection by calling the gsk_attribute_set_numeric_value() routine. For a client, this means calling the socket() and connect() routines. For a server, this means calling the socket(), listen(), and accept() routines. However, SSL does not require the use of TCP/IP for the communications layer. The socket descriptor can be any integer value which is meaningful to the application. The application must provide its own socket routines if it is not using TCP/IP by calling the gsk_attribute_set_callback() routine.

The gsk_secure_socket_init() routine can return GSK_WOULD_BLOCK_READ or GSK_WOULD_BLOCK_WRITE if the socket is in non-blocking mode. The connection is not initialized in this case and the application must call gsk_secure_socket_init() again when the socket is ready to accept a read request (GSK_WOULD_BLOCK_READ) or a write request (GSK_WOULD_BLOCK_WRITE). The application must provide its own callback routine for io_setsocketoptions() to have the SSL handshake processed in non-blocking mode (the default io_setsocketoptions() routine places the socket into blocking mode during the handshake processing).

In FIPS mode, only DSA certificates with domain parameters that conform to FIPS 186-3: Digital Signature Standard (DSS) are supported. In non-FIPS mode, if the key size is less than 1024 bits, then domain parameters that conform to FIPS 186-2 are supported. In non-FIPS mode, if the key size is greater than or equal to 1024 bits, the domain parameters must conform to FIPS 186-3, with the exception that parameters that have a prime modulus (p) of 2048 bits and a prime divisor (q) of 160 bits are also tolerated.

Be sure a gsk_secure_socket_shutdown() call is issued before a gsk_secure_socket_close() call.

Protocol Selection
An SSL handshake is performed as part of the processing of the gsk_secure_socket_init() routine. This establishes the server identity and optionally the client identity. It also negotiates the cryptographic parameters to be used for the connection. The client and server attempts to use the highest available protocol version as determined by the intersection of the enabled protocol versions for the client and the server and the compatible ciphers. Thus:
  • TLS V1.2 is used if it is enabled on both the client and the server
  • If TLS V1.2 cannot be used and TLS V1.1 is enabled, negotiations drop back to TLS V1.1
  • If TLS V1.1 cannot be used and TLS V1.0 is enabled, negotiations drop back to TLS V1.0
  • If TLS V1.0 cannot be used and SSL V3 is enabled, negotiations drop back to SSL V3
  • If SSL V3 cannot be used, TLS V1.2 was not enabled on the client or server, and SSL V2 is enabled, negotiations drop back to SSL V2
Note:
  1. SSL V2 is not as secure as SSL V3 or TLS and should be disabled whenever possible to avoid attacks that force the client and server to drop back to SSL V2 even though they are capable of using SSL V3, TLS V1.0 or TLS V1.1.
  2. When TLS extensions are defined for a client and any of the TLS protocols are enabled for the connection, SSL V2 is not negotiated even if it is enabled.
  3. If TLS V1.2 is enabled on the client, establishment of SSL sessions with SSL V2 servers is not supported.
Cipher selection

The client sends a list of ciphers it supports during the SSL handshake. The server application uses this list, and the defined ciphers that are supported by the server, to determine the cipher to be used during the SSL handshake. If the client is operating in FIPS mode, then the list provided only contains FIPS ciphers. A server executing in FIPS mode will only use FIPS ciphers. The cipher selection is done by looking through the servers cipher list for a match in the clients list. The first matching cipher is used.

When building the server's list of cipher suites for comparison with the list sent by the client, the server might omit some ciphers from the list as follows:
  • When executing in an export level cryptographic environment, any ciphers that are not permitted for use in an export level environment.
  • When executing in FIPS mode, any cipher suites that are not valid for use in FIPS mode.
  • Any cipher suites that specify a key algorithm that is not supported for use with the server certificate's key. For example, if the cipher requires an RSA key algorithm but the server certificate uses a DSA key algorithm.
  • When using protocol SSL V3.0 or lower, any cipher suites that specify Elliptic Curve Cryptography.
  • When using protocol TLS V1.1 or lower, any cipher suites that specify:
    • A sign key algorithm that is not supported for use with the server certificate's key. For example, if the cipher requires a Diffie-Hellman certificate signed with an RSA signature, but the server certificate is a Diffie-Hellman certificate that is signed with a DSA signature.
    • SHA-2 message authentication.
    • AES-GCM encryption.
  • When using protocol TLS V1.1 and higher, any cipher suites that specify 40-bit export encryption.
  • When using protocol TLS V1.2 and higher, any cipher suites that specify:
    • 56-bit DES encryption.
    • A key algorithm that is not specified in the signature algorithm pairs list that is supplied by the client.
Note:
  1. For protocols TLS V1.1 and above, export cipher suites cannot be used. 40-bit ciphers is ignored if TLS V1.1 or above is negotiated as the security protocol. If TLS V1.1 or above is the intended protocol and only 40-bit ciphers are available, the connection fails with GSK_ERR_NO_CIPHERS.
  2. To use a cipher specification that requires a fixed ECDH key exchange (C001, C002, C003, C004, C005, C00B, C00C, C00D, C00E, and C00F), the ECC private key cannot be a secure key that is stored in ICSF PKDS or TKDS.
Server certificate

The server certificate can use either RSA, DSA, Diffie-Hellman, or ECDSA as the public/private key algorithm.

In FIPS mode, the RSA or DSA key size must be at least 1024 bits, the Diffie-Hellman key size must be at least 2048 bits, and the ECC key size must be at least 192 bits and use a NIST-approved named curve.

An RSA certificate can be used with an RSA, ephemeral Diffie-Hellman, or ephemeral ECDH key exchange. A DSA certificate can be used with an ephemeral Diffie-Hellman key exchange. A Diffie-Hellman certificate can be used in a fixed Diffie-Hellman key exchange. An ECDSA certificate can be used with a fixed ECDH or ephemeral ECDH key exchange.

If the servers certificate contains a key usage extension during the SSL handshake, it must allow key usage as follows:
  • RSA certificates using export restricted ciphers (40-bit RC4 encryption and 40-bit RC2 encryption) with a public key size greater than 512 bits must allow digital signature. If operating in FIPS mode, export restricted ciphers cannot be selected.
  • Diffie-Hellman certificates that are used in fixed Diffie-Hellman key exchange must allow key agreement.
  • Other RSA certificates must allow key encipherment.
  • ECDSA certificates that are used in fixed ECDH key exchange must allow key agreement.
  • ECDSA certificates that are used in ephemeral ECDH key exchange must allow digital signature.
  • RSA certificates that are used in ephemeral ECDH key exchange must allow digital signature.
  • DSA certificates using ephemeral Diffie-Hellman key exchange must allow digital signature.

System SSL does not accept VeriSign Global Server ID certificates. When specified, System SSL uses these certificates as any other certificate when determining the encryption cipher to be used for the SSL session.

When using TLS V1.2 as the SSL session protocol, the client may pass to the server a list of signature algorithm pairs as part of the TLS handshake. The key algorithm and signature algorithm of the server certificate must be present in this list of signature algorithm pairs. In addition, any peer certificates in the server certificate chain must also be signed using a signature algorithm present in the list.

The signature algorithm pair list under the TLS V1.2 protocol may allow some TLS ciphers to operate using certificates that were previously incompatible with the cipher specification. In previous versions of TLS, these ciphers (primarily ciphers that use a fixed Diffie-Hellman or fixed ECDH key exchange) required the server certificate to be signed with a specific signature key algorithm. Under TLS V1.2, the signature algorithm pairs list allows the cipher to be used if the signature algorithm is specified in the list.

Client certificate

The SSL server always provides its certificate to the SSL client as part of the handshake. The client always performs server authentication using the certificate that is provided by the server. Depending upon the server handshake type, the server may ask the client to provide its certificate. The key label that is stored in the connection is used to retrieve the certificate from the key database, key ring, or token. The default key is used if no label is set. The key record must contain both an X.509 certificate and a private key. See gsk_validate_certificate_mode() for a description of the steps that are performed during certificate validation.

The client certificate can use either RSA, Digital Signature Standard algorithm (DSA), ECDSA, or Diffie-Hellman as the public/private key algorithm. The type of client certificate that can be used depends on the key exchange method being used for the session cipher that is selected by the server, as detailed in the following list.
  • RSA key exchange - RSA or DSA
  • fixed Diffie-Hellman key exchange - RSA, DSA, or Diffie-Hellman
  • ephemeral Diffie-Hellman key exchange - RSA or DSA
  • fixed ECDH key exchange - RSA, DSA, or ECDSA
  • ephemeral ECDH key exchange - RSA, DSA, or ECDSA

Client certificates that are used in a fixed Diffie-Hellman or fixed ECDH key exchange where the client certificate is used to send the client's public key to the server must support key agreement. This means the certificate key usage extension (if any) must allow key agreement.

In all other cases the client certificate must support digital signatures. This means the certificate key usage extension (if any) must allow digital signature.

Client certificates that are used with a fixed ECDH key exchange where the client private key is a secure key label in the TKDS are not supported.

When using TLS V1.2 as the SSL session protocol, the server may pass to the client a list of signature algorithm pairs as part of the TLS handshake. The key algorithm and signature algorithm of the client certificate must be present in this list of signature algorithm pairs. In addition, any peer certificates in the client certificate chain must also be signed using a signature algorithm present in the list.

Related Topics

gsk_environment_init()

gsk_secure_socket_write()

gsk_secure_socket_read()

gsk_secure_socket_misc()

gsk_secure_socket_close()

Parent topic: API reference

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014