SCR #3920 07/01/2024 des CTSE - REL1_VER0_CTSE03_070124 CTSEN - REL1_VER0_CTSE03_070124 TCPCLI - REL1_VER0_TCPC19_070124 REL1_VER0_CTSE03_070124 SSLCLI - REL1_VER0_SSLC19_070124 REL1_VER0_CTSE03_070124 T0000H06_03_STGSSLLIB_05JUN2024_6_0_5_10 TCPSRV - REL1_VER0_TCPS21_070124 REL1_VER0_CTSE03_070124 SSLSRV - REL1_VER0_SSLS21_070124 REL1_VER0_CTSE03_070124 T0000H06_03_STGSSLLIB_05JUN2024_6_0_5_10 SSLLIBI - T0000H06_03_STGSSLNLIB_05JUN2024_6_0_5_10 For pre XPNET 4.2 releases: STGKM - T0000H06_03_STGKM_09MAY2024_6_0_2_30 For XPNET 4.2 and later: TCPXCLI - REL1_VER1_TCPCX03_070124 T0000H06_03_STGSSLNLIB_05JUN2024_6_0_5_10 TCPXSRV - REL1_VER1_TCPSX03_070124 T0000H06_03_STGSSLNLIB_05JUN2024_6_0_5_10 STGKM - T0000H06_03_STGKM_01MAY2024_6_0_5_9 SMKMAN - T0000H06_03_AISSMKMan_14JUL2023_6_0_5_0 Reference: H24-577792 H24-585016 H24-599723 H24-597849 Symptom: SSLCLI abends in CTSE_AWAITIO after an error 4126. The function INSESSION_AWAITIOX returns a read count of 65,535 and it overflows a field that value is moved into. Also, other issues were fixed in SSLLIB. Problem: 1 - The field was not capable of holding that big of a value. 2 - The aci_ssl_read_key_and_certificate() library function could wrongly return ACI_SSL_RC_DB_UNKNOWN_RECORD. 3 - When using an SMKFILE configuration, the library function aci_ssl_check_smk returned error ACI_SSL_RC_PASSWORD_INVALID / ACI_SSL_RC_SMKBUF_INVALID on NSX but ran OK on NSK. 4 - ICE-XS would sign a CertificateVerify TLS1.3 handshake messa ge using RSA with PKCS1.5 padding instead of RSA-PSS padding. Change: 1 - If the read count is larger than 32,767, the value 32,767 is used instead. 2 - IWS-3093 3 - IWS-3082 4 - IWS-3104 Enhancements for SSL Library: 1 - Created a new STGNSSL library specifically for C-based applications. ( IWS-2954 ) 2 - STGKM and SSL libraries have been changed to use SMK files when encrypting and decrypting keys stored in CERTFILEs used by the libraries. ( IWS-2364 ) 3 - SSL clients with DN_MATCH enabled now check certificate Subj ect Alternative Name (SAN) DNS name entries. ( IWS-2404 ) 4 - The minimum target system requirements for STGSSL NonCRE Library running on the Linux platform has been upgraded from RHEL 6 to RHEL 7. ( IWS-2357 ) 5 - SSL clients with DN_MATCH enabled now allow certificate wildcard names. ( IWS-2086 ) 6 - STGKM has been enhanced to support PBES2 algorithm and PBKDF 2 for password based protection of keys and certificates when reading from and writing into PFX files. It will use AES-256-CBC for encryption and hmacWithSHA256 for the key generation. ( IWS-2194 ) 7 - The minimum target system requirements for SafeTGate SSL (ST GSSL) internal Library running on the IBM Z-series platform has been upgraded from z/OS 2.2 to z/OS 2.4. ( IWS-2219 ) 8 - STGSSL NonCRE Library now implement RFC8446 - TLS 1.3 protocol. ( IWS-823 ) 9 - On the HP NonStop platforms STGSSL NonCRE Library has been built with an upgrade of the C and C++ compilers and version 3 of the C++ libraries. ( IWS-1441 ) 10 - Linux (little endian) version of STGSSL NonCRE Library. Also, fixed 64-bit vs 32-bit versioning so that PTraceLib can distinguish the type of trace file. ( IWS-1426 ) 11 - 64-bit version of STGSSL NonCRE Library on zOS. ( IWS-1176 ) 12 - SafeTGate SSL Library and STGSSL NonCRE Library now implement Galois/Counter Mode (GCM) for use with AES encryption and ephemeral Elliptic Curve Diffie-Hellman key exchange (ECDHE). ( CR782, RPE 8401 ) 13 - STGSSL NonCRE Library now implements RFC7366 - TLS Encrypt-then-MAC extension. ( CR644, RPE 7664 ) 14 - Port STGSSL NonCRE library (libStgSNLib.a) to UNIX for use by Network Express. ( CR622, CSM 100 ) Implementation: Move in the new modules and stop the necessary stations. Stop and re-start SSL/TCP processes. Re-start the needed stations. Dependencies: No dependencies. Code Review: CR-XPNET-220