ENABLE OR DISABLE SSL/TLS PROTOCOLS BASED UPON SECURITY POLICY FOR OLDER RELEASES (Z/VM 5.4 AND Z/VM 6.2)
APAR Identifier ...... PI31200 Last Changed ........ 15/02/23 ENABLE OR DISABLE SSL/TLS PROTOCOLS BASED UPON SECURITY POLICY FOR OLDER RELEASES (Z/VM 5.4 AND Z/VM 6.2) Symptom ...... NF NEWFUNCTION Status ........... CLOSED UR1 Severity ................... 4 Date Closed ......... 15/02/23 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 620 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 540 : UI25366 available 15/02/23 (1501 ) Release 620 : UI25367 available 15/02/23 (1000 ) Release 630 : UI25368 available 15/02/23 (1502 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: TCP/IP for z/VM 6.3 introduced the PROTOCOL operand for the SSL server, which allows one to enable or disable SSL/TLS protocols based upon local security policy. However, older levels of TCP/IP for z/VM do not have this capability. This APAR introduces the PROTOCOL operand to z/VM 5.4 and z/VM 6.2. Additionally, this APAR fixes a problem where an incorrect protocol level is displayed for connection information produced by the NETSTAT IDENTIFY and SSLADMIN QUERY SESSIONS commands. This correction applies to z/VM 5.4, z/VM 6.2, and z/VM 6.3. LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All users of the z/VM TCP/IP SSL (Secure * * Socket Layer) server. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** TCP/IP for z/VM 6.3 introduced the PROTOCOL operand for the SSL Server, which allows one to enable or disable SSL/TLS protocols based upon local security policy. However, older levels of TCP/IP for z/VM do not have this capability. This APAR introduces the PROTOCOL operand to z/VM 5.4 and z/VM 6.2. Additionally, this APAR fixes a problem where an incorrect protocol level is displayed for connection information produced by the NETSTAT IDENTIFY and SSLADMIN QUERY SESSIONS commands. This correction applies to z/VM 5.4, z/VM 6.2, and z/VM 6.3. PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: For z/VM 5.4 and z/VM 6.2, the following code changes were made to provide PROTOCOL operand support: DTCUME.REPOS and SSLMESGS.H Added the protocol related message. SSLADMIN.EXEC Changed program logic to show protocol detail information. SSLADMI5.C (SSLADMNP.C For z/VM 6.2) Added logic for reporting enabled and disabled protocol information. SSLCIPHS.C Added logic for parsing the protocol string provided by VMSSL, and updating the ciphers table based on enabled protocols. SSLCIPH0.H Added API declarations for SSLCIPHS.C. SSLCONFG.H Added on/off switch for SSL/TLS protocols declarations. SSLGSKCF.C Added logic to process all specified protocols, if enabled, and pass appropriate parameters into the 'gsk_attribute_set_enum()' function to enable it. SSLSTART.C Added logic to process the protocol string provided by VMSSL and create individual protocol values; Also added call to SSLCIPHS.C, to parse the protocol. VMSSL.EXEC Added logic to handle the command set for the 'PROTOCOL' operand. To address the problem of an incorrect protocol level being reported as part of the NETSTAT IDENTIFY and SSLADMIN QUERY SESSIONS commands, the following changes have been made (for all levels: z/VM 5.4, z/VM 6.2 ,z/VM 6.3) SSLGSKCF.C Added logic to report the protocol based on the connection protocol level. Documentation for the PROTOCOL operand added for the z/VM 5.4 and z/VM 6.2 levels has been incorporated in updates to the VMSSL HELPTCP and QUERY HELPSSLA files. This information can be reviewed by using the respective HELP commands: HELP TCPI VMSSL HELP SSLADMIN QUERY MODULES/MACROS: DTCUME DTCUMEB QUERY SSLADMIN SSLADMNP SSLCIPHS SSLGSKCF SSLREPRT SSLSTART VMSSL SRLS: NONE RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: