| IBM SYSTEMSSL APARs |
z/OS V1 R7 |
| APAR # | PTF # | APAR Description | Notes |
| OA14437 | UA23758 | SSL V3 CLIENT HANDSHAKE FAILED WITH AN ERROR 410 (BAD MESSAGE) WITH SID CLIENT SIDE CACHING | SSL handshake may fail for System SSL clients attempting TLSV1 for cached sessions where the server is using SSLV3 |
z/OS V1 R6 |
| APAR # | PTF # | APAR Description | Notes |
| OA09297 | UA14369 | GSK_CLIENT_AUTH_PASSTHRU_TYPE VALIDATES CLIENT CERTIFICATE | If gsk_attribute_set_enum is called to set GSK_CLIENT_AUTH_TYPE to GSK_CLIENT_AUTH_PASSTHRU_TYPE System SSL should bypass client certificate validation but it does not |
| OA14437 | UA23758 | SSL V3 CLIENT HANDSHAKE FAILED WITH AN ERROR 410 (BAD MESSAGE) WITH SID CLIENT SIDE CACHING | SSL handshake may fail for System SSL clients attempting TLSV1 for cached sessions where the server is using SSLV3 |
z/OS V1 R5 |
| APAR # | PTF # | APAR Description | Notes |
| OA01971 | UA00954 | LOOP BETWEEN GSK_READ_V3_RECORD AND USER SKREAD ROUTINE | Loop can occur between the user supplied callback routines, skread and skwrite, if these routines return a negative value other than -1 |
| OA02382 | UA01625 | GSKKYMAN LACKS OPTION TO CREATE CERTIFICATE RENEWAL ON Z/OS 1.4 | Gskkyman untility on Z/OS 1.2 had an option to request a renewal of a certificate from an existing certificate in the keydatabase file. On Z/OS 1.4, this option is missing. |
| OA02737 | UA02136 | SSL HANDSHAKE FAILS WITH RC -37 WHEN CLIENT CERTIFICATE CONTAINS INVALID TELETEX/T61 CHARACTER | Error ASN_CANT_CONVERT (x'014CE014') is returned when decoding an X.509 certificate containing accented characters within an ASN.1 TELETEXSTRING field. |
| OA04226 | UA04423 | SSL ABENDS WHEN A CLIENT CERTIFICATE HAS A NULL FOR THE OU | System SSL abends S0C4 when a client attempts to connect and the specified certificate has a null in the organizational unit(ou). |
| OA04566 | UA05144 | SYSTEM SSL CERTIFICATE MANAGEMENT SERVICES REFRESH | Numerous fixes have been made to System SSL. This APAR brings the Certificate Management Services component up to the latest service level. |
| OA14437 | UA23757 | SSL V3 CLIENT HANDSHAKE FAILED WITH AN ERROR 410 (BAD MESSAGE) WITH SID CLIENT SIDE CACHING | SSL handshake may fail for System SSL clients attempting TLSV1 for cached sessions where the server is using SSLV3 |
| OA09297 | UA14368 | GSK_CLIENT_AUTH_PASSTHRU_TYPE VALIDATES CLIENT CERTIFICATE | If gsk_attribute_set_enum is called to set GSK_CLIENT_AUTH_TYPE to GSK_CLIENT_AUTH_PASSTHRU_TYPE System SSL should bypass client certificate validation but it does not |
z/OS V1 R4 |
| APAR # | PTF # | APAR Description | Notes |
| OA14437 | UA23757 | SSL V3 CLIENT HANDSHAKE FAILED WITH AN ERROR 410 (BAD MESSAGE) WITH SID CLIENT SIDE CACHING | SSL handshake may fail for System SSL clients attempting TLSV1 for cached sessions where the server is using SSLV3 |
| OA01971 | UA00954 | LOOP BETWEEN GSK_READ_V3_RECORD AND USER SKREAD ROUTINE | Loop can occur between the user supplied callback routines, skread and skwrite, if these routines return a negative value other than -1 |
| OA02382 | UA01625 | GSKKYMAN LACKS OPTION TO CREATE CERTIFICATE RENEWAL ON Z/OS 1.4 | Gskkyman untility on Z/OS 1.2 had an option to request a renewal of a certificate from an existing certificate in the keydatabase file. On Z/OS 1.4, this option is missing. |
| OA02737 | UA02136 | SSL HANDSHAKE FAILS WITH RC -37 WHEN CLIENT CERTIFICATE CONTAINS INVALID TELETEX/T61 CHARACTER | Error ASN_CANT_CONVERT (x'014CE014') is returned when decoding an X.509 certificate containing accented characters within an ASN.1 TELETEXSTRING field. |
| OA04226 | UA04423 | SSL ABENDS WHEN A CLIENT CERTIFICATE HAS A NULL FOR THE OU | System SSL abends S0C4 when a client attempts to connect and the specified certificate has a null in the organizational unit(ou). |
| OA04566 | UA05144 | SYSTEM SSL CERTIFICATE MANAGEMENT SERVICES REFRESH | Numerous fixes have been made to System SSL. This APAR brings the Certificate Management Services component up to the latest service level. |
| OW56418 | UW94302 | RACDCERT EXPORT CREATING PKCS#12 PACKAGES THAT DO NOT CONFORM TOASN.1 STANDARD | RACDCERT EXPORT creating PKCS#12 packages that do not conform to ASN.1 standard therefore can not be imported. |
z/OS V1 R2 |
| APAR # | PTF # | APAR Description | Notes |
| OW51164 | UW84120 UW84121 | SSL ENHANCEMENTS | Addressing requirement to provide basic Certificate Management APIs to read certificates from a SAF keyring, lookup a particular certificate by label, index or subject name and APIs for support creating and processing PKCS #7(Cryptographic Message Standard) messages |
| OW52700 | UW85215 | SYSTEM SSL ENHANCEMENT TO SUPPORT RACF CERTIFICATES DEFINED WITH RSA PRIVATE KEYS STORED IN ICSF | Enhance System SSL to support the use of RACF certificates which have their private keys stored in ICSF(hardware crypto.) |
| OW54083 | UW88756 | SSL CONNECTION USING WRONG CIPHERSPEC | SSL connection is allowed to be wrongly established using a cached session id when the specified connection cipher suite(s) do not match the cipher within the cached session id |
| OW56144 | UW93993 | GSK_KEYFILE_BAD_PASSWORD IF PASSWORD IS GREATER THAN 8 CHARACTERS WITH A KDB FILE | System SSL gskkyman command has been updated to support passwords greater than 8 characters for the key database file and passwords associated with the export (.p12) files |
| OA04566 | UA05143 | SYSTEM SSL CERTIFICATE MANAGEMENT SERVICES REFRESH | Numerous fixes have been made to System SSL. This APAR brings the Certificate Management Services component up to the latest service level. |
OS/390 V2 R10 |
| APAR # | PTF # | APAR Description | Notes |
| OW44153 | UW70444 | SSL GSK_INITIALIZE CALL HANGS AND GETS PROTECTION EXCEPTION | SSL application executed as a started task received RC2 from gsk_initialize when using RACF key ring. Also, gsk_initialize hanging with protection exception. Also, System SSL rebuilt to exploit performance enhancements when using hardware crypto |
| OW46430 | UW75960 | SYSTEM SSL HARDWARE PERFORMANCE | System SSL needs to be relinked with the latest bsafe code, in order to take maximum advantage of ICSF performance changes |
| OW48118 | UW79754 | IMW6310E SSL SUPPORT INITIALIZATION FAILED | IMW6310E message occurs when using kdb files generated under ikeyman on OS/390 R9 and used under R10 with System SSL. Certs. that contain special characters like & or * and ASN.1 are encoded incorrectly |
| OW51164 | UW84118 UW84119 | SSL ENHANCEMENTS | Addressing requirement to provide basic Certificate Management APIs to read certificates from a SAF keyring, lookup a particular certificate by label, index or subject name and APIs for support creating and processing PKCS #7(Cryptographic Message Standard) messages |
| OW51648 | UW83574 | SYSTEM SSL S0C4 GSK_SECURE_SOC_INIT | S0C4 abend occured during the SSL handshake process in the ReadV2Msg function |
| OW52700 | UW85214 | SYSTEM SSL ENHANCEMENT TO SUPPORT RACF CERTIFICATES DEFINED WITH RSA PRIVATE KEYS STORED IN ICSF | Enhance System SSL to support the use of RACF certificates which have their private keys stored in ICSF(hardware crypto.) |
| OW54083 | UW88754 | SSL CONNECTION USING WRONG CIPHERSPEC | SSL connection is allowed to be wrongly established using a cached session id when the specified connection cipher suite(s) do not match the cipher within the cached session id |
| OA04566 | UA05142 | SYSTEM SSL CERTIFICATE MANAGEMENT SERVICES REFRESH | Numerous fixes have been made to System SSL. This APAR brings the Certificate Management Services component up to the latest service level. |