IBM Support

PH08671: THE VSE CONNECTOR CLIENT DOES NOT CORRECTLY HANDLE INTERMEDIATE CA CERTIFICATES WITH SSL/TLS

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The z/VSE Connector Client does not correctly handle
    intermediate CA certificates when it validates peer
    certificates during SSL/TLS handshake. This might cause SSL/TLS
    connections to be rejected when the peer certificate is signed
    by an intermediate CA certificate, even though the intermediate
    CA certificate is contained in the keyring used by the VSE
    Connector Client.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All z/VSE Connector Client Users             *
    ****************************************************************
    * PROBLEM DESCRIPTION: The z/VSE Connector Client does not     *
    *                      correctly handle intermediate CA        *
    *                      certificates when it validates peer     *
    *                      certificates during SSL/TLS handshake.  *
    *                      This might cause SSL/TLS connections to *
    *                      be rejected when the peer certificate   *
    *                      is signed by an intermediate CA         *
    *                      certificate, even though the            *
    *                      intermediate CA certificate is          *
    *                      contained in the keyring used by the    *
    *                      VSE Connector Client.                   *
    ****************************************************************
    * RECOMMENDATION: Install this PTF                             *
    ****************************************************************
    The z/VSE Connector Client does not correctly handle
    intermediate CA certificates when it validates peer
    certificates during SSL/TLS handshake. This might cause SSL/TLS
    connections to be rejected when the peer certificate is signed
    by an intermediate CA certificate, even though the intermediate
    CA certificate is contained in the keyring used by the VSE
    Connector Client.
    

Problem conclusion

  • The VSE Connector Client code has been changed to accept peer
    certificates signed by an intermediate CA certificate in
    addition to peer certificates signed by a self-signed root
    certificate.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH08671

  • Reported component name

    VSE CONN. WS CO

  • Reported component ID

    5686VS638

  • Reported release

    62P

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-02-18

  • Closed date

    2019-02-19

  • Last modified date

    2019-03-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI61366

Modules/Macros

  • IESINCON
    

Fix information

  • Fixed component name

    VSE CONN. WS CO

  • Fixed component ID

    5686VS638

Applicable component levels

  • R62P PSY UI61366

       UP19/03/15 I 1000

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/VSE family

Software version: 62P

Operating system(s): VSE/ESA

Reference #: PH08671

Modified date: 15 March 2019