TCP/IP SERVER UPDATES FOR SSL SERVER SUPPORT


 
 APAR Identifier ...... PK73085      Last Changed ........ 09/03/24
 TCP/IP SERVER UPDATES FOR SSL SERVER SUPPORT
 
 Symptom ...... IN INCORROUT         Status ........... CLOSED  PER
 Severity ................... 4      Date Closed ......... 08/12/02
 Component .......... 5735FAL00      Duplicate of ........
 Reported Release ......... 540      Fixed Release ............ 999
 Component Name TCP/IP V2 FOR V      Special Notice           HIPER
 Current Target Date ..              Flags
 SCP ...................               FUNCTIONLOSS
 Platform ............
 
 Status Detail: SHIPMENT - Packaged solution is available for
                           shipment.
 
 PE PTF List:
 
 PTF List:
 Release 540   : UK40952 available 08/12/12 (0901 )
 
 Parent APAR:
 Child APAR list:
 
 ERROR DESCRIPTION:
 Socket-related modifications are needed in the TCP/IP
 server to correct problems that cause the z/VM 540 SSL
 server to loop and report the socket errors cited here:
 ...
 DTCSSL050E mainSSL accept failed with  rc: -1 errno: 122
 DTCSSL050E mainSSL accept failed with  rc: -1 errno: 113
 ...
 
 LOCAL FIX:
 NONE.
 
 PROBLEM SUMMARY:
 ****************************************************************
 * USERS AFFECTED: ALL USERS OF THE Z/VM SSL SERVER             *
 ****************************************************************
 * PROBLEM DESCRIPTION:                                         *
 ****************************************************************
 * RECOMMENDATION: APPLY PTF                                    *
 ****************************************************************
 After establishing multiple SSL protected connections using
 the z/VM SSL server, when all connections are terminated
 simultaneously, the following error messages may be reported
 continuously on the SSL server console:
 
   ....
   DTCSSL050E mainSSL accept failed with  rc: -1 errno: 122
   DTCSSL050E mainSSL accept failed with  rc: -1 errno: 113
   ....
 
 While the SSL server is in the above condition, the TCP/IP
 stack console may report the following error messages:
 
   ....
   hh:mm:ss DTCAPI001I IucvCheckRc: IUCV retcc 2 iprcode 0 on
                          path n function 6
   hh:mm:ss DTCAPI002I    Userid SSLSERV TheSockNumber nn
   ....
 
 PROBLEM CONCLUSION:
 PROBLEM:
    When the SSL server handles the closing of an SSL connection,
    the TCP/IP server is told to cancel a prior socket RECV
    operation.  However, the socket CANCEL requires that the
    TCP/IP server report return code -1 and errno 1009 to the
    RECV operation being canceled.   If the OpenExtensions
    socket library performs the CANCEL of the prior RECV and
    returns to the application before SkSimpleResponse in the
    TCP/IP server issues IUCV REPLY for the canceled operation,
    the IUCV REPLY may fail unnoticed with CC=1 IPRCODE=X'18'.
    As a result of the failure, SkSimpleRsponse calls
    SSkSimpleResponse.  SSKSimpleResponse also attempts an
    IUCV REPLY which fails with the following error msg being
    displayed and the IUCV connection between TCP/IP and the
    SSL server is severed.
 
    hh:mm:ss DTCAPI001I IucvCheckRc: IUCV retcc 2 iprcode 0 on
                        path n function 6
    hh:mm:ss DTCAPI002I    Userid SSLSERV TheSockNumber nn
 
    The severing of the IUCV path results in the SSL server
    failing and continuously producing the error messages:
 
    ...
    DTCSSL050E mainSSL accept failed with  rc: -1 errno: 122
    DTCSSL050E mainSSL accept failed with  rc: -1 errno: 113
    ...
 
 APARs PK73085 and VM64540 are required to fix both of these
 problems related to SSL.
 
 SOLUTION:
 
 The Inter-User Communication Vehicles Socket (IUCV) interface
 to the TCP/IP server has been modified to provide a new
 version of the existing CANCEL function, CANCEL2.  While CANCEL
 causes TCP/IP to respond to the canceled call with a return code
 of -1 and an errno value of 1009, CANCEL2 will not.
 
 The following parts are changed to provide the functionality
 for the CANCEL2 socket call: CMSOCK COPY, TCPEQUAT COPY,
 CMPRCOM PASCAL and TCSOCKRE PASCAL.
 
 DOCUMENTATION UPDATE:
 
 z/VM V5R4.0 TCP/IP Programmer's Reference (SC24-6126-02)
  Chapter 4. Inter-User Communication Vehicle Sockets
   IUCV Socket Calls
    CANCEL
 
 CANCEL and CANCEL2
 
 The CANCEL and CANCEL2 calls are used to cancel a previously
 issued socket call.  For the CANCEL call, TCP/IP responds to
 
 the canceled call with a return code of -1 and an errno value
 of 1009.  For the CANCEL2 call, TCP/IP does not send a
 response to the canceled call.  CANCEL2 is supported only
 for AF_INET.
 
 Keyword Value
 
 TRGCLS
   High-order halfword = 42 (CANCEL)
   High-order halfword = 43 (CANCEL2 is for af_inet only)
   Low-order halfword = Low-order halfword of TRGCLS from call
   to be canceled.
 
 DATA
   PRMMSG
 
 PRMMSG
   High-order fullword = High-order halfword of TRGCLS from call
   to be canceled.  Low-order fullword = IUCV message ID of call
   to be canceled.
 
 ANSLEN
   8
 
 ANSBUF
   Points to a buffer to contain the reply from TCP/IP:
 
   +------------------------------------------------------------+
   |                                                            |
   +------+-----+------+----------------------------------------+
   |Offset|Name |Length|                 Comments               |
   +------+-----+------+----------------------------------------+
   |  0   | rc  |  4   | The return code from the CANCEL call.  |
   |      |     |      | A return code of 0 indicates that the  |
   |      |     |      | call was successful.  A return code of |
   |      |     |      | -1 indicates that the function could   |
   |      |     |      | not be completed and that errno        |
   |      |     |      | contains a reason code.                |
   +------+-----+------+----------------------------------------+
   |  4   |errno|  4   | When the return code is -1, this field |
   |      |     |      | contains a reason code.  Possible      |
   |      |     |      | errno  values are:                     |
   |      |     |      |                                        |
   |      |     |      | 3        Specifies that the call       |
   |      |     |      |          cannot be found. TCP/IP       |
   |      |     |      |          might have already responded  |
   |      |     |      |          to it.                        |
   |      |     |      |                                        |
   |      |     |      | 22       Specifies that the call is    |
   |      |     |      |          not a type that may be        |
   |      |     |      |          canceled.                     |
   +------+-----+------+----------------------------------------+
 
 TEMPORARY FIX:
 *********
 * HIPER *
 *********
 
 COMMENTS:
 
 MODULES/MACROS:   ALLMACRO CMPRCOM  CMSOCK   COMMTXT  TCPEQUAT
 TCPIP    TCSOCKRE
 
 SRLS:      SC24612602
 
 RTN CODES:
 
 CIRCUMVENTION:
 
 MESSAGE TO SUBMITTER: