SYSTEM SSL V2.1 AND TLS/SSL SERVER UPGRADE
APAR Identifier ...... PI40702 Last Changed ........ 16/03/30 SYSTEM SSL V2.1 AND TLS/SSL SERVER UPGRADE Symptom ...... NF NEWFUNCTION Status ........... CLOSED UR1 Severity ................... 4 Date Closed ......... 15/09/10 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 630 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 630 : UI31015 available 16/03/30 (1601 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: In order to maintain FIPS 140-2 and NIST SP 800-131a compliance, z/VM System SSL has been upgraded to z/OS V2.1 equivalency. This introduces internal support for a subset of the cryptographic primitivies found in z/OS ICSF. Use of these primitives is restricted to IBM-provided applications such as the TLS/SSL Server. . This support requires updates to CMS and LE via APARs VM65717 and VM65718. . The TLS/SSL Server has been updated to exploit the following new functions: . -AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key algorithm which is more secure than the current CBC mechanism employed today. . -Enablement of DSA Certificates in MODE NIST -800-131a, an update to the size of the DSS certificates the server can support for asymmetric encryption. LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All users of the z/VM SSL server * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** In order to maintain FIPS 140-2 and NIST SP 800-131a compliance, z/VM System SSL has been upgraded to z/OS V2.1 equivalency. This introduces internal support for a subset of the cryptographic primitives found in z/OS ICSF. Use of these primitives is restricted to IBM-provided applications such as the TLS/SSL servers. This support requires updates to CMS and LE via APARs VM65717 and VM65718. The TLS/SSL Server has been updated to exploit the following new functions: - AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key algorithm which is more secure than the current CBC mechanism employed today. - Enablement of DSA Certificates in MODE NIST-800-131a, an update to the size of the DSS certificates the server can support for asymmetric encryption PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: The main things that System SSL 2.1 and inetrnal support for a subset of the cryptographic primitives found in z/OS ICSF are: 1. NIST 800-131 enhancements 2. Suite B Profile for TLS (RFC 5430) support 3. Eliptic Curve Cryptography (ECC) support 4. AES Galois Counter Mode (GCM) support The major changes to TLS/SSL server include: 1. Update the cipher list for AES GCM in SSLCIPHS.C 2. Report the AES GCM availability by changing CMCOMM.COPY and CMNETST.PASCAL 3. Add a new socket call which is used to return an input vector for AES GCM from TCP/IP stack 4. Update the cipher list to reenable DSA for mode NIST-800-131A 5. Change the function which is used to determine the key bit length of the certificate in use for session, support DSA algorithm MODULES/MACROS: CMCOMM CMNETST CMPRCOM CMSOCK GSKCMS31 GSKC31 GSKC31F GSKKYMAN GSKMSGA GSKMSGS GSKSSL GSKSUS31 GSKS31 GSKS31F GSKTRACE ICSFLIB SSLCIPHS SSLGSKCF SSLMNTOR TCIUCAPI TCPBL492 TCPEQUAT TCPIP TCSOCKRE TCVAR SRLS: NONE RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: