TELNET SECURECONNECTION PCOMM/OBEYFILE CORRECTIONS
APAR Identifier ...... PM23344 Last Changed ........ 11/11/04
TELNET SECURECONNECTION PCOMM/OBEYFILE CORRECTIONS
Symptom ...... IN INCORROUT Status ........... CLOSED UR3
Severity ................... 3 Date Closed ......... 11/02/22
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 540 Fixed Release ............ 610
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 540 : UK65126 available 11/02/23 (1102 )
Release 610 : UK65127 available 11/02/23 (1101 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
Attempts to establish a secure TLS connection, using the IBM
Personal Communications (PCOMM) Telnet client, fail when
SECURECONNECTION ALLOWED is specified as part of the
INTERNALCLIENTPARMS statement used for configuration of the
Telnet server. No z/VM TCPIP server messages indicate such a
failure, while the PCOMM client is seen to hang with no errors
reported.
LOCAL FIX:
Use a SECURECONNECTION operand other than ALLOWED (either
PREFERRED or REQUIRED) for the TLS configuration.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All users of the z/VM Telnet server *
* configured for secure connections. *
* *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
Issues fixed in this APAR:
(1) Connections to the z/VM Telnet server initiated by a
PCOMM Telnet Client will hang, if option
SECURECONNECTION ALLOWED
is included in the INTERNALCLIENTPARMS section of the
TCP/IP server configuration file.
(2) If the z/VM Telnet server is managing any secure
connections, and the SECURECONNECTION configuration is
altered to any value other than NEVER via an OBEYFILE
command, the Pascal assertion failure shown below will be
reported in the TCP/IP server console:
AMPX036I ASSERTION FAILURE CHECKING ERROR
TRACE BACK OF CALLED ROUTINES
ROUTINE STMT AT ADDRESS IN MODULE
SETTIMER 2 00C3C972 TCCLITM_CLIENTTIMER
DOQUERYTLS 23 00C238CA TNSTMAS_STMASTER
REINITINTERNALCLIENT 165 00C29FAC TNSTMAS_STMASTER
PARSEOPTION 413 00C90DDC TCPARSE_PARSETCP
USENEWFILE 14 00C917C4 TCPARSE_PARSETCP
DOMONITORCOMMAND 32 00C59F22 TCMON_MONITOR
MONITOR 27 00C61FEA TCMON_MONITOR
Schedule 2082 00CD88DC
<MAIN-PROGRAM> 14 00C171FE TCPIP
VSPASCAL 00E4685A
AMPX036I ASSERTION FAILURE CHECKING ERROR
TRACE BACK OF CALLED ROUTINES
ROUTINE STMT AT ADDRESS IN MODULE
CLEARTIMER 2 00C3CA78 TCCLITM_CLIENTTIM
TCPNOTEGOTTEN 151 00C26FD6 TNSTMAS_STMASTER
INTCLIPROC 17 00C28994 TNSTMAS_STMASTER
Schedule 2082 00CD88DC
<MAIN-PROGRAM> 14 00C171FE TCPIP
VSPASCAL 00E4685A
PROBLEM CONCLUSION:
TEMPORARY FIX:
COMMENTS:
With the changes introduced by this APAR, attempts by PCOMM to
start the TLS sub-negotiation prior to a completed TLS
negotiation will now be ignored by the z/VM Telnet server.
If such attempts are detected, a new message DTCSTM353I will be
reported in the TCP/IP server console.
DTCSTM353I Conn <conn>: TLS sub-negotiation prior to completed
TLS negotiation has been ignored
Explanation: A telnet client attempted to send a FOLLOWS
sub-command before both partners involved in an SSL
client-server conversation have agreed on the TLS negotiation.
System Action: The FOLLOWS command is ignored, processing
continues.
User Response: None.
However, attempts to connect to a z/VM Telnet server configured
with
SECURECONNECTION NEVER
using a PCOMM client configured for a secure connection will now
hang instead of abort.
At the closing of this APAR, this issue remains under
investigation by PCOMM development.
In addition, the z/VM Telnet client (TELNET MODULE) has been
modified to enforce protocol by ignoring out-of-order requests
after WILL START_TLS has been initiated.
Note that this is a preventive fix. There is no scenario
currently known where the previous behavior would result in a
problem.
Documentation for this new message will be included in any
future updates to the following publication:
GC24-6124-04 -- z/VM: TCP/IP Level 540 Messages and Codes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 19. TCP/IP Server Messages
Page(s): 475
New Message Text:
DTCSTM353I Conn <conn>: TLS sub-negotiation prior to completed
TLS negotiation has been ignored
Explanation:
A telnet client attempted to send a FOLLOWS sub-command
before both partners involved in an SSL client-server
conversation have agreed on the TLS negotiation.
System Action:
The FOLLOWS command is ignored, processing continues.
User Response:
None.
MODULES/MACROS: ALLMACRO MSTCP TCPIP TELNET TNSTIN
TNSTMAS TNTOCP TNUTMAS
SRLS:
RTN CODES:
CIRCUMVENTION:
To avoid hangs in PCOMM when connecting to the z/VM Telnet
server using a secure connection, make sure that you
have configured the z/VM Telnet server using either option
SECURECONNECTION PREFERRED
or
SECURECONNECTION REQUIRED
instead of
SECURECONNECTION ALLOWED
To avoid the AMPX assertion failures, modify the stack's
profile and restart the stack instead of using OBEYFILE.
MESSAGE TO SUBMITTER: