SCR #3920 07/01/2024 des CTSE - REL1_VER0_CTSE03_070124 CTSEN - REL1_VER0_CTSE03_070124 TCPCLI - REL1_VER0_TCPC19_070124 REL1_VER0_CTSE03_070124 SSLCLI - REL1_VER0_SSLC19_070124 REL1_VER0_CTSE03_070124 T0000H06_03_STGSSLLIB_05JUN2024_6_0_5_10 TCPSRV - REL1_VER0_TCPS21_070124 REL1_VER0_CTSE03_070124 SSLSRV - REL1_VER0_SSLS21_070124 REL1_VER0_CTSE03_070124 T0000H06_03_STGSSLLIB_05JUN2024_6_0_5_10 SSLLIBI - T0000H06_03_STGSSLNLIB_05JUN2024_6_0_5_10 For pre XPNET 4.2 releases: STGKM - T0000H06_03_STGKM_09MAY2024_6_0_2_30 For XPNET 4.2 and later: TCPXCLI - REL1_VER1_TCPCX03_070124 T0000H06_03_STGSSLNLIB_05JUN2024_6_0_5_10 TCPXSRV - REL1_VER1_TCPSX03_070124 T0000H06_03_STGSSLNLIB_05JUN2024_6_0_5_10 STGKM - T0000H06_03_STGKM_01MAY2024_6_0_5_9 SMKMAN - T0000H06_03_AISSMKMan_14JUL2023_6_0_5_0 Reference: H24-577792 H24-585016 H24-599723 H24-597849 Symptom: SSLCLI abends in CTSE_AWAITIO after an error 4126. The function INSESSION_AWAITIOX returns a read count of 65,535 and it overflows a field that value is moved into. Also, other issues were fixed in SSLLIB. Problem: 1 - The field was not capable of holding that big of a value. 2 - The aci_ssl_read_key_and_certificate() library function could wrongly return ACI_SSL_RC_DB_UNKNOWN_RECORD. 3 - When using an SMKFILE configuration, the library function aci_ssl_check_smk returned error ACI_SSL_RC_PASSWORD_INVALID / ACI_SSL_RC_SMKBUF_INVALID on NSX but ran OK on NSK. 4 - ICE-XS would sign a CertificateVerify TLS1.3 handshake messa ge using RSA with PKCS1.5 padding instead of RSA-PSS padding. Change: 1 - If the read count is larger than 32,767, the value 32,767 is used instead. 2 - IWS-3093 3 - IWS-3082 4 - IWS-3104 Enhancements for SSL Library: 1 - Created a new STGNSSL library specifically for C-based applications. ( IWS-2954 ) 2 - STGKM and SSL libraries have been changed to use SMK files when encrypting and decrypting keys stored in CERTFILEs used by the libraries. ( IWS-2364 ) 3 - SSL clients with DN_MATCH enabled now check certificate Subj ect Alternative Name (SAN) DNS name entries. ( IWS-2404 ) 4 - The minimum target system requirements for STGSSL NonCRE Library running on the Linux platform has been upgraded from RHEL 6 to RHEL 7. ( IWS-2357 ) 5 - SSL clients with DN_MATCH enabled now allow certificate wildcard names. ( IWS-2086 ) 6 - STGKM has been enhanced to support PBES2 algorithm and PBKDF 2 for password based protection of keys and certificates when reading from and writing into PFX files. It will use AES-256-CBC for encryption and hmacWithSHA256 for the key generation. ( IWS-2194 ) 7 - The minimum target system requirements for SafeTGate SSL (ST GSSL) internal Library running on the IBM Z-series platform has been upgraded from z/OS 2.2 to z/OS 2.4. ( IWS-2219 ) 8 - STGSSL NonCRE Library now implement RFC8446 - TLS 1.3 protocol. ( IWS-823 ) 9 - On the HP NonStop platforms STGSSL NonCRE Library has been built with an upgrade of the C and C++ compilers and version 3 of the C++ libraries. ( IWS-1441 ) 10 - Linux (little endian) version of STGSSL NonCRE Library. Also, fixed 64-bit vs 32-bit versioning so that PTraceLib can distinguish the type of trace file. ( IWS-1426 ) 11 - 64-bit version of STGSSL NonCRE Library on zOS. ( IWS-1176 ) 12 - SafeTGate SSL Library and STGSSL NonCRE Library now implement Galois/Counter Mode (GCM) for use with AES encryption and ephemeral Elliptic Curve Diffie-Hellman key exchange (ECDHE). ( CR782, RPE 8401 ) 13 - STGSSL NonCRE Library now implements RFC7366 - TLS Encrypt-then-MAC extension. ( CR644, RPE 7664 ) 14 - Port STGSSL NonCRE library (libStgSNLib.a) to UNIX for use by Network Express. ( CR622, CSM 100 ) Implementation: Move in the new modules and stop the necessary stations. Stop and re-start SSL/TCP processes. Re-start the needed stations. Dependencies: No dependencies. Code Review: CR-XPNET-220 SCR #3926 09/05/2024 mmn CTSETPLO - U10CTSE.CTSE00PO CTSETPLS - U10CTSE.CTSE00PS CTSXTPLO - U11CTSE.CTSE00PO CTSXTPLS - U11CTSE.CTSE00PS TMPLIN - SPTPLT37.TMPLIN42 Reference: H24-618100, H24-613933, H24-612973, H24-586138 Symptom: ACI.780.1000 1008 02:35 08AUG24 103,03,797 EMSTEXT No template and no TEXT to ken for event. SSID = ACI.780.1000 Event number = 1008 Subject = CTS/E Problem: As part of XPNET 4.2 new objects TCPXCLI, TCPXSRV were released. These modules were created with new SSID's and EMS template files. Some of these files were incorrectly catloged as the template files for TCPSRV, TCPSRV, SSLCLI, SSLSRV ( CTSETPLO/S ). Change: Released correct CTSETPLO/S files associated with the TCPSRV, TCPCLI, SSLCLI, SSLSRV modules. Released new template files CTSXTPLO/S files for TCPXCLI and TCPXSRV events. Updated TMPLIN file to reference the new template files. Implementation: Install new TMPLIN and template files. Run the TMPLMAKE and GOINST macros on the SCRIBE subvol. Dependencies: XPNET 4.2 only. Code Review: CR-XPNET-230