MISLEADING MESSAGE DTCSSL506E
APAR Identifier ...... PI83256 Last Changed ........ 17/11/24 MISLEADING MESSAGE DTCSSL506E Symptom ...... IN INCORROUT Status ........... CLOSED PER Severity ................... 4 Date Closed ......... 17/07/21 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 630 Fixed Release ............ 999 Component Name TCP/IP FOR Z/VM Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 630 : UI49048 available 17/07/25 (1000 ) Release 640 : UI49049 available 17/07/25 (1702 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: SSL message DTCSSL506E is a NIST-800-131A mode specific message which is being issued when NIST-800-131A mode is not enabled. This is misleading and makes problem determination difficult. LOCAL FIX: N/A PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All users of z/VM TCP/IP using SSL to * * secure connections. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** When securing a connection using SSL, a gsk_secure_socket_init call is done to initiate the handshake. If a 440 return code is received as a result of this call, the error message DTCSSL506E is displayed indicating 'Key exchange lengths less than 2048 are not supported in NIST 800-131A mode' even if NIST mode has not been specified. PROBLEM CONCLUSION: The h_hshake routine in part SSLGSKCF C has been updated when processing a 440 return code. If NIST mode has not been specified, new message DTCSSL507E will now be displayed. This new message will be added to Chapter 17 of the z/VM TCP/IP Messages and Codes manual (GC24-6237-08) as follows: DTCSSL507E Key usage extension certificate does not permit the requested key operation. Explanation: The key usage extension does not permit the requested key operation. This error can occur if the key usage extension of the client or server certificate (if any) does not allow the appropriate key usage. System action: Server operation continues. The subject secure connection is terminated. System programmer response: Specify a certificate with the appropriate key usage. If the gskkyman utility was used to create either the client (user) or server end-entity certificate, ensure that the appropriate option was selected from the Certificate Usage menu to create a client (user) or server certificate. The Certificate Usage menu consists of options for creating certificate authority and client (user) / server end-entity certificates. TEMPORARY FIX: COMMENTS: MODULES/MACROS: SSLGSKCF SSLREPRT SRLS: GC24623708 RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: