SYSTEM SSL V2.1 AND TLS/SSL SERVER UPGRADE

 
 APAR Identifier ...... PI40702      Last Changed ........ 16/03/30
 SYSTEM SSL V2.1 AND TLS/SSL SERVER UPGRADE
 
 Symptom ...... NF NEWFUNCTION       Status ........... CLOSED  UR1
 Severity ................... 4      Date Closed ......... 15/09/10
 Component .......... 5735FAL00      Duplicate of ........
 Reported Release ......... 630      Fixed Release ............ 999
 Component Name TCP/IP V2 FOR V      Special Notice
 Current Target Date ..              Flags
 SCP ...................
 Platform ............
 
 Status Detail: SHIPMENT - Packaged solution is available for
                           shipment.
 
 PE PTF List:
 
 PTF List:
 Release 630   : UI31015 available 16/03/30 (1601 )
 
 Parent APAR:
 Child APAR list:
 
 ERROR DESCRIPTION:
 In order to maintain FIPS 140-2 and NIST SP 800-131a compliance,
 z/VM System SSL has been upgraded to z/OS V2.1 equivalency. This
 introduces internal support for a subset of the cryptographic
 primitivies found in z/OS ICSF. Use of these primitives is
 restricted to IBM-provided applications such as the TLS/SSL
 Server.
 .
 This support requires updates to CMS and LE via APARs VM65717
 and VM65718.
 .
 The TLS/SSL Server has been updated to exploit the following new
 functions:
 .
   -AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key
    algorithm which is more secure than the current CBC mechanism
    employed today.
 .
   -Enablement of DSA Certificates in MODE NIST -800-131a, an
    update to the size of the DSS certificates the server can
    support for asymmetric encryption.
 
 LOCAL FIX:
 
 PROBLEM SUMMARY:
 ****************************************************************
 * USERS AFFECTED: All users of the z/VM SSL server             *
 ****************************************************************
 * PROBLEM DESCRIPTION:                                         *
 ****************************************************************
 * RECOMMENDATION: APPLY PTF                                    *
 ****************************************************************
 In order to maintain FIPS 140-2 and NIST SP 800-131a compliance,
 z/VM System SSL has been upgraded to z/OS V2.1 equivalency. This
 introduces internal support for a subset of the cryptographic
 primitives found in z/OS ICSF. Use of these primitives is
 restricted to IBM-provided applications such as the TLS/SSL
 servers.
 This support requires updates to CMS and LE via APARs VM65717
 and VM65718.
 
 The TLS/SSL Server has been updated to exploit the following new
 functions:
 
 - AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key
   algorithm which is more secure than the current CBC mechanism
   employed today.
 
 - Enablement of DSA Certificates in MODE NIST-800-131a, an
   update to the size of the DSS certificates the server can
   support for asymmetric encryption
 
 PROBLEM CONCLUSION:
 
 TEMPORARY FIX:
 
 COMMENTS:
 The main things that System SSL 2.1 and inetrnal support for
 a subset of the cryptographic  primitives found in z/OS ICSF
 are:
 1. NIST 800-131 enhancements
 2. Suite B Profile for TLS (RFC 5430) support
 3. Eliptic Curve Cryptography (ECC) support
 4. AES Galois Counter Mode (GCM) support
 
 The major changes to TLS/SSL server include:
 1. Update the cipher list for AES GCM in SSLCIPHS.C
 2. Report the AES GCM availability by changing CMCOMM.COPY and
    CMNETST.PASCAL
 3. Add a new socket call which is used to return an input vector
    for AES GCM from TCP/IP stack
 4. Update the cipher list to reenable DSA for mode NIST-800-131A
 5. Change the function which is used to determine the key bit
    length of the certificate in use for session, support
    DSA algorithm
 
 MODULES/MACROS:   CMCOMM   CMNETST  CMPRCOM  CMSOCK   GSKCMS31
 GSKC31   GSKC31F  GSKKYMAN GSKMSGA  GSKMSGS  GSKSSL   GSKSUS31
 GSKS31   GSKS31F  GSKTRACE ICSFLIB  SSLCIPHS SSLGSKCF SSLMNTOR
 TCIUCAPI TCPBL492 TCPEQUAT TCPIP    TCSOCKRE TCVAR
 
 SRLS:      NONE
 
 RTN CODES:
 
 CIRCUMVENTION:
 
 MESSAGE TO SUBMITTER: