TELNET SECURECONNECTION PCOMM/OBEYFILE CORRECTIONS
APAR Identifier ...... PM23344 Last Changed ........ 11/11/04 TELNET SECURECONNECTION PCOMM/OBEYFILE CORRECTIONS Symptom ...... IN INCORROUT Status ........... CLOSED UR3 Severity ................... 3 Date Closed ......... 11/02/22 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 540 Fixed Release ............ 610 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 540 : UK65126 available 11/02/23 (1102 ) Release 610 : UK65127 available 11/02/23 (1101 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: Attempts to establish a secure TLS connection, using the IBM Personal Communications (PCOMM) Telnet client, fail when SECURECONNECTION ALLOWED is specified as part of the INTERNALCLIENTPARMS statement used for configuration of the Telnet server. No z/VM TCPIP server messages indicate such a failure, while the PCOMM client is seen to hang with no errors reported. LOCAL FIX: Use a SECURECONNECTION operand other than ALLOWED (either PREFERRED or REQUIRED) for the TLS configuration. PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All users of the z/VM Telnet server * * configured for secure connections. * * * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** Issues fixed in this APAR: (1) Connections to the z/VM Telnet server initiated by a PCOMM Telnet Client will hang, if option SECURECONNECTION ALLOWED is included in the INTERNALCLIENTPARMS section of the TCP/IP server configuration file. (2) If the z/VM Telnet server is managing any secure connections, and the SECURECONNECTION configuration is altered to any value other than NEVER via an OBEYFILE command, the Pascal assertion failure shown below will be reported in the TCP/IP server console: AMPX036I ASSERTION FAILURE CHECKING ERROR TRACE BACK OF CALLED ROUTINES ROUTINE STMT AT ADDRESS IN MODULE SETTIMER 2 00C3C972 TCCLITM_CLIENTTIMER DOQUERYTLS 23 00C238CA TNSTMAS_STMASTER REINITINTERNALCLIENT 165 00C29FAC TNSTMAS_STMASTER PARSEOPTION 413 00C90DDC TCPARSE_PARSETCP USENEWFILE 14 00C917C4 TCPARSE_PARSETCP DOMONITORCOMMAND 32 00C59F22 TCMON_MONITOR MONITOR 27 00C61FEA TCMON_MONITOR Schedule 2082 00CD88DC <MAIN-PROGRAM> 14 00C171FE TCPIP VSPASCAL 00E4685A AMPX036I ASSERTION FAILURE CHECKING ERROR TRACE BACK OF CALLED ROUTINES ROUTINE STMT AT ADDRESS IN MODULE CLEARTIMER 2 00C3CA78 TCCLITM_CLIENTTIM TCPNOTEGOTTEN 151 00C26FD6 TNSTMAS_STMASTER INTCLIPROC 17 00C28994 TNSTMAS_STMASTER Schedule 2082 00CD88DC <MAIN-PROGRAM> 14 00C171FE TCPIP VSPASCAL 00E4685A PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: With the changes introduced by this APAR, attempts by PCOMM to start the TLS sub-negotiation prior to a completed TLS negotiation will now be ignored by the z/VM Telnet server. If such attempts are detected, a new message DTCSTM353I will be reported in the TCP/IP server console. DTCSTM353I Conn <conn>: TLS sub-negotiation prior to completed TLS negotiation has been ignored Explanation: A telnet client attempted to send a FOLLOWS sub-command before both partners involved in an SSL client-server conversation have agreed on the TLS negotiation. System Action: The FOLLOWS command is ignored, processing continues. User Response: None. However, attempts to connect to a z/VM Telnet server configured with SECURECONNECTION NEVER using a PCOMM client configured for a secure connection will now hang instead of abort. At the closing of this APAR, this issue remains under investigation by PCOMM development. In addition, the z/VM Telnet client (TELNET MODULE) has been modified to enforce protocol by ignoring out-of-order requests after WILL START_TLS has been initiated. Note that this is a preventive fix. There is no scenario currently known where the previous behavior would result in a problem. Documentation for this new message will be included in any future updates to the following publication: GC24-6124-04 -- z/VM: TCP/IP Level 540 Messages and Codes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 19. TCP/IP Server Messages Page(s): 475 New Message Text: DTCSTM353I Conn <conn>: TLS sub-negotiation prior to completed TLS negotiation has been ignored Explanation: A telnet client attempted to send a FOLLOWS sub-command before both partners involved in an SSL client-server conversation have agreed on the TLS negotiation. System Action: The FOLLOWS command is ignored, processing continues. User Response: None. MODULES/MACROS: ALLMACRO MSTCP TCPIP TELNET TNSTIN TNSTMAS TNTOCP TNUTMAS SRLS: RTN CODES: CIRCUMVENTION: To avoid hangs in PCOMM when connecting to the z/VM Telnet server using a secure connection, make sure that you have configured the z/VM Telnet server using either option SECURECONNECTION PREFERRED or SECURECONNECTION REQUIRED instead of SECURECONNECTION ALLOWED To avoid the AMPX assertion failures, modify the stack's profile and restart the stack instead of using OBEYFILE. MESSAGE TO SUBMITTER: