ZOWE 2.18.0: disable TLS1.3
search cancel

ZOWE 2.18.0: disable TLS1.3

book

Article ID: 402224

calendar_today

Updated On:

Products

Brightside

Issue/Introduction

Tried to disable TLS 1.3 by using the following setting in ZOWE.yaml 

However, ZOWE stc log shows:

The JSSE TLS 1.3 implementation does not support post handshake authentication (PHA) and is therefore incompatible with optional certificate authentication

Looks like TLS1.3 is still in use somewhere? How to verify TLS1.3 has been disabled on the server side? 

Environment

ZOWE v2.18.0

Cause

Setting in zowe.network section only takes effect on ZSS and Application Server (Zowe Desktop) components in ZOWE v2.18.0, see github issue here.
And other components such as gateway are still using TLS1.3 (by default). 

zowe.network section values should take effect on all the ZOWE components, issue is fixed by ZOWE v2.18.1.

Resolution

Upgrade to ZOWE v3.1.0 (or above) is recommended. 

Or at least upgrade to ZOWE v2.18.1.

If zowe.network has been specified to use TLSv1.2, the negotiated protocol should be TLSv1.2 for all the ZOWE components after the ZOWE upgrade. 

 

Additional Information

Test SSL connectivity with openssl s_client commands to check whether the certificate is valid, trusted, and complete.

openssl s_client -connect hostname:7554 

For example, if TLSv1.2 is specified in network.server section in ZOWE.yaml,  the output of the above openssl s_client command can be used to confirm that TLS1.3 has been disabled. 

SSL-Session:                
    Protocol  : TLSv1.2     

 

Powered by Wolken Software