ENABLE OR DISABLE SSL/TLS PROTOCOLS BASED UPON SECURITY POLICY
FOR OLDER RELEASES (Z/VM 5.4 AND Z/VM 6.2)
APAR Identifier ...... PI31200 Last Changed ........ 15/02/23
ENABLE OR DISABLE SSL/TLS PROTOCOLS BASED UPON SECURITY POLICY
FOR OLDER RELEASES (Z/VM 5.4 AND Z/VM 6.2)
Symptom ...... NF NEWFUNCTION Status ........... CLOSED UR1
Severity ................... 4 Date Closed ......... 15/02/23
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 620 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 540 : UI25366 available 15/02/23 (1501 )
Release 620 : UI25367 available 15/02/23 (1000 )
Release 630 : UI25368 available 15/02/23 (1502 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
TCP/IP for z/VM 6.3 introduced the PROTOCOL operand for the SSL
server, which allows one to enable or disable SSL/TLS protocols
based upon local security policy. However, older levels of
TCP/IP for z/VM do not have this capability.
This APAR introduces the PROTOCOL operand to z/VM 5.4 and z/VM
6.2.
Additionally, this APAR fixes a problem where an incorrect
protocol level is displayed for connection information produced
by the NETSTAT IDENTIFY and SSLADMIN QUERY SESSIONS commands.
This correction applies to z/VM 5.4, z/VM 6.2, and z/VM 6.3.
LOCAL FIX:
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All users of the z/VM TCP/IP SSL (Secure *
* Socket Layer) server. *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
TCP/IP for z/VM 6.3 introduced the PROTOCOL operand for the SSL
Server, which allows one to enable or disable SSL/TLS protocols
based upon local security policy. However, older levels of
TCP/IP for z/VM do not have this capability.
This APAR introduces the PROTOCOL operand to z/VM 5.4 and z/VM
6.2.
Additionally, this APAR fixes a problem where an incorrect
protocol level is displayed for connection information produced
by the NETSTAT IDENTIFY and SSLADMIN QUERY SESSIONS commands.
This correction applies to z/VM 5.4, z/VM 6.2, and z/VM 6.3.
PROBLEM CONCLUSION:
TEMPORARY FIX:
COMMENTS:
For z/VM 5.4 and z/VM 6.2, the following code changes were
made to provide PROTOCOL operand support:
DTCUME.REPOS and SSLMESGS.H
Added the protocol related message.
SSLADMIN.EXEC
Changed program logic to show protocol detail information.
SSLADMI5.C (SSLADMNP.C For z/VM 6.2)
Added logic for reporting enabled and disabled protocol
information.
SSLCIPHS.C
Added logic for parsing the protocol string provided by
VMSSL, and updating the ciphers table based on enabled
protocols.
SSLCIPH0.H
Added API declarations for SSLCIPHS.C.
SSLCONFG.H
Added on/off switch for SSL/TLS protocols declarations.
SSLGSKCF.C
Added logic to process all specified protocols, if enabled,
and pass appropriate parameters into the
'gsk_attribute_set_enum()' function to enable it.
SSLSTART.C
Added logic to process the protocol string provided by VMSSL
and create individual protocol values; Also added call to
SSLCIPHS.C, to parse the protocol.
VMSSL.EXEC
Added logic to handle the command set for the 'PROTOCOL'
operand.
To address the problem of an incorrect protocol level being
reported as part of the NETSTAT IDENTIFY and SSLADMIN QUERY
SESSIONS commands, the following changes have been made (for
all levels: z/VM 5.4, z/VM 6.2 ,z/VM 6.3)
SSLGSKCF.C
Added logic to report the protocol based on the connection
protocol level.
Documentation for the PROTOCOL operand added for the z/VM 5.4
and z/VM 6.2 levels has been incorporated in updates to the
VMSSL HELPTCP and QUERY HELPSSLA files. This information can
be reviewed by using the respective HELP commands:
HELP TCPI VMSSL
HELP SSLADMIN QUERY
MODULES/MACROS: DTCUME DTCUMEB QUERY SSLADMIN SSLADMNP
SSLCIPHS SSLGSKCF SSLREPRT SSLSTART VMSSL
SRLS: NONE
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: