MISLEADING MESSAGE DTCSSL506E


 
 APAR Identifier ...... PI83256      Last Changed ........ 17/11/24            
 MISLEADING MESSAGE DTCSSL506E                                                 
                                                                               
 Symptom ...... IN INCORROUT         Status ........... CLOSED  PER            
 Severity ................... 4      Date Closed ......... 17/07/21            
 Component .......... 5735FAL00      Duplicate of ........                     
 Reported Release ......... 630      Fixed Release ............ 999            
 Component Name TCP/IP FOR Z/VM      Special Notice                            
 Current Target Date ..              Flags                                     
 SCP ...................                                                       
 Platform ............                                                         
                                                                               
 Status Detail: SHIPMENT - Packaged solution is available for                  
                           shipment.                                           
                                                                               
 PE PTF List:                                                                  
                                                                               
 PTF List:                                                                     
 Release 630   : UI49048 available 17/07/25 (1000 )                            
 Release 640   : UI49049 available 17/07/25 (1702 )                            
                                                                               
 Parent APAR:                                                                  
 Child APAR list:                                                              
                                                                               
 ERROR DESCRIPTION:                                                            
 SSL message DTCSSL506E is a NIST-800-131A mode specific message               
 which is being issued when NIST-800-131A mode is not enabled.                 
 This is misleading and makes problem determination difficult.                 
                                                                               
 LOCAL FIX:                                                                    
  N/A                                                                          
                                                                               
 PROBLEM SUMMARY:                                                              
 ****************************************************************              
 * USERS AFFECTED: All users of z/VM TCP/IP using SSL to        *              
 *                 secure connections.                          *              
 ****************************************************************              
 * PROBLEM DESCRIPTION:                                         *              
 ****************************************************************              
 * RECOMMENDATION: APPLY PTF                                    *              
 ****************************************************************              
 When securing a connection using SSL, a gsk_secure_socket_init                
 call is done to initiate the handshake.  If a 440 return code is              
 received as a result of this call, the error message DTCSSL506E               
 is displayed indicating 'Key exchange lengths less than 2048 are              
 not supported in NIST 800-131A mode' even if NIST mode has not                
 been specified.                                                               
                                                                               
 PROBLEM CONCLUSION:                                                           
 The h_hshake routine in part SSLGSKCF C has been updated when                 
 processing a 440 return code.  If NIST mode has not been                      
 specified, new message DTCSSL507E will now be displayed.                      
 This new message will be added to Chapter 17 of the                           
 z/VM TCP/IP Messages and Codes manual (GC24-6237-08) as                       
 follows:                                                                      
                                                                               
 DTCSSL507E  Key usage extension certificate does not permit                   
             the requested key operation.                                      
                                                                               
 Explanation:  The key usage extension does not permit the                     
     requested key operation.  This error can occur if the                     
     key usage extension of the client or server certificate                   
     (if any) does not allow the appropriate key usage.                        
                                                                               
 System action:  Server operation continues.  The subject                      
     secure connection is terminated.                                          
                                                                               
 System programmer response:  Specify a certificate with the                   
     appropriate key usage.  If the gskkyman utility was used                  
     to create either the client (user) or server end-entity                   
     certificate, ensure that the appropriate option was                       
     selected from the Certificate Usage menu to create a                      
     client (user) or server certificate.  The Certificate                     
     Usage menu consists of options for creating certificate                   
     authority and client (user) / server end-entity                           
     certificates.                                                             
                                                                               
 TEMPORARY FIX:                                                                
                                                                               
 COMMENTS:                                                                     
                                                                               
 MODULES/MACROS:                                                               
 SSLGSKCF SSLREPRT                                                             
                                                                               
 SRLS:                                                                         
 GC24623708                                                                    
                                                                               
 RTN CODES:                                                                    
                                                                               
 CIRCUMVENTION:                                                                
                                                                               
 MESSAGE TO SUBMITTER: