Clarification on XCOM for Z/OS fix LT19637 (expected to be published as LU19637)
Article ID: 431414
Updated On:
Products
XCOM Data Transport - z/OS
Issue/Introduction
Fix LT19637 (expected to be published as LU19637) description mentions truncation of the parameter values entered in the System SSL configuration file (SYSconfigssl.cnf) when the parameter is longer than 255 bytes.
This article provides additional details. One possible error message caused by this problem would be:
XCOMM1510E ; SYSTEM SSL ; RC=402 ; REASON=NO SSL CIPHER SPECIFICATION
Resolution
This problem was introduced by former fix LU07625 (REMOVE OPEN SSL AND ETPKI FROM XCOM ON Z/OS) which replaced the routines used to parse the SystemSSL config file.
CIPHERS is the most likely section to be affected by the problem, for example, if it specifies a list of individual fixes which takes more than 255 bytes. The cipher name which hits offset 255 plus any other cipher specified after it will not be passed to the partner during the TLS handshake.
When this happens, the handshake will fail for those partners that may only accept the cipher that has been excluded from the CLIENT_HELO message sent to the partner during the handshake. The message will be:
XCOMM1510E ; SYSTEM SSL ; RC=402 ; REASON=NO SSL CIPHER SPECIFICATION
Additional Information
It is possible to 'see' the SSL handshake by reproducing the error in a XCOMJOB TYPE=EXECUTE run with ,TRACE=YES added to the JCL parm. The XCOM trace will format the handshake messages exchanged with the partner, including the CLIENT_HELO (where the requestor proposes a list of ciphers), the SERVER_HELO (where the contacted server selects a cipher from the proposed list) or (in the case of RC 402) an alert returned by the server when it cannot accept any of the proposed ciphers.
Example of a working handshake:
14:42:37 8f6788 XCOMSSSL 7456 ======================================= SSL Record Begin =====================================
14:42:37 8f6788 XCOMSSSL 7882 Sending Handshake = <16> ( SSL3_RT_HANDSHAKE )
14:42:37 8f6788 XCOMSSSL 7888 SSL Version = <03.03> ( TLSv1.2 )
14:42:37 8f6788 XCOMSSSL 7896 Length = <0082> ( 130 )
14:42:37 8f6788 XCOMSSSL 5427 ==>Client_Hello Message = <01>
14:42:37 8f6788 XCOMSSSL 5434 Hello Buffer Length = <00007E> ( 126 )
14:42:37 8f6788 XCOMSSSL 5442 Client_Version = <03.03> ( TLSv1.2 )
14:42:37 8f6788 XCOMSSSL 5463 UTC Timestamp = <6995352D> ( Wed 2026-02-18 03:42:37 UTC )
14:42:37 8f6788 XCOMSSSL 5497 Random bytes = <random bytes>
14:42:37 8f6788 XCOMSSSL 5517 Session ID Length = <00> ( 0 )
14:42:37 8f6788 XCOMSSSL 5574 Session ID = <00> ( NULL )
14:42:37 8f6788 XCOMSSSL 5588 Supported Cipher Suites Len = <0010> ( 16 )
14:42:37 8f6788 XCOMSSSL 5597 Supported Cipher Suites = <00FF> ( TLS_EMPTY_RENEGOTIATION_INFO_SCSV )
14:42:37 8f6788 XCOMSSSL 5611 <C02C> ( TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 )
14:42:37 8f6788 XCOMSSSL 5611 <C030> ( TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 )
14:42:37 8f6788 XCOMSSSL 5611 <009F> ( TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
14:42:37 8f6788 XCOMSSSL 5611 <C02B> ( TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 )
14:42:37 8f6788 XCOMSSSL 5611 <C02F> ( TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 )
14:42:37 8f6788 XCOMSSSL 5611 <009E> ( TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 )
14:42:37 8f6788 XCOMSSSL 5611 <000A> ( TLS_RSA_WITH_3DES_EDE_CBC_SHA )
14:42:37 8f6788 XCOMSSSL 5626 Supported Compression Len = <01> ( 1 )
14:42:37 8f6788 XCOMSSSL 5631 Supported Compression = <00> ( NULL )
14:42:37 8f6788 XCOMSSSL 5658 Hello Extension Length = <0045> ( 69 )
14:42:37 8f6788 XCOMSSSL 5672 +Client_Hello Extension = <002B> ( Unknown Hello Extension )
14:42:37 8f6788 XCOMSSSL 7679 ======================================= SSL Record End =====================================
14:42:37 8f6788 XCOMSSSL 7456 ======================================= SSL Record Begin =====================================
14:42:37 8f6788 XCOMSSSL 7882 Received Handshake = <16> ( SSL3_RT_HANDSHAKE )
14:42:37 8f6788 XCOMSSSL 7888 SSL Version = <03.03> ( TLSv1.2 )
14:42:37 8f6788 XCOMSSSL 7896 Length = <0051> ( 81 )
14:42:37 8f6788 XCOMSSSL 6473 ==>Server_Hello Message = <02>
14:42:37 8f6788 XCOMSSSL 6480 Hello Buffer Length = <00004D> ( 77 )
14:42:37 8f6788 XCOMSSSL 6487 Server_Version = <03.03> ( TLSv1.2 )
14:42:37 8f6788 XCOMSSSL 6513 UTC Timestamp = <8755A816> ( ** Cannot Format ** )
14:42:37 8f6788 XCOMSSSL 6539 Random bytes = <random bytes>
14:42:37 8f6788 XCOMSSSL 6560 Session ID Length = <20> ( 32 )
14:42:37 8f6788 XCOMSSSL 6588 Session ID = <session ID>
14:42:37 8f6788 XCOMSSSL 6635 Selected Ciper Suite = <000A> ( TLS_RSA_WITH_3DES_EDE_CBC_SHA )
14:42:37 8f6788 XCOMSSSL 6646 Supported Compression = <00> ( NULL )
14:42:37 8f6788 XCOMSSSL 6669 Hello Extension Length = <0005> ( 5 )
14:42:37 8f6788 XCOMSSSL 6678 +Server_Hello Extension = <FF01> ( Renegotiation_Info )
14:42:37 8f6788 XCOMSSSL 6688 Renegotiation Info Length = <0001>
14:42:37 8f6788 XCOMSSSL 6730 Renegotiated Session ID = <00> ( NULL )
14:42:37 8f6788 XCOMSSSL 7817 ======================================= SSL Record End =====================================
Note how the partner accepts the very last cipher presented by the client (TLS_RSA_WITH_3DES_EDE_CBC_SHA)
Example of a failing handshake
14:52:54 8b6060 XCOMSSSL 7420 ======================================= SSL Record Begin ======================================
14:52:54 8b6060 XCOMSSSL 7901 Sending Handshake = <16> ( SSL3_RT_HANDSHAKE )
14:52:54 8b6060 XCOMSSSL 7907 SSL Version = <03.03> ( TLSv1.2 )
14:52:54 8b6060 XCOMSSSL 7915 Length = <0080> ( 128 )
14:52:54 8b6060 XCOMSSSL 4903 ==>Client_Hello Message = <01>
14:52:54 8b6060 XCOMSSSL 4910 Hello Buffer Length = <00007C> ( 124 )
14:52:54 8b6060 XCOMSSSL 4918 Client_Version = <03.03> ( TLSv1.2 )
14:52:54 8b6060 XCOMSSSL 4939 UTC Timestamp = <69953796> ( Wed 2026-02-18 03:52:54 UTC )
14:52:54 8b6060 XCOMSSSL 4973 Random bytes = <random bytes>
14:52:54 8b6060 XCOMSSSL 4993 Session ID Length = <00> ( 0 )
14:52:54 8b6060 XCOMSSSL 5050 Session ID = <00> ( NULL )
14:52:54 8b6060 XCOMSSSL 5064 Supported Cipher Suites Len = <000E> ( 14 )
14:52:54 8b6060 XCOMSSSL 5073 Supported Cipher Suites = <00FF> ( TLS_EMPTY_RENEGOTIATION_INFO_SCSV )
14:52:54 8b6060 XCOMSSSL 5087 <C02C> ( TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 )
14:52:54 8b6060 XCOMSSSL 5087 <C030> ( TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 )
14:52:54 8b6060 XCOMSSSL 5087 <009F> ( TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
14:52:54 8b6060 XCOMSSSL 5087 <C02B> ( TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 )
14:52:54 8b6060 XCOMSSSL 5087 <C02F> ( TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 )
14:52:54 8b6060 XCOMSSSL 5087 <009E> ( TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 )
14:52:54 8b6060 XCOMSSSL 5102 Supported Compression Len = <01> ( 1 )
14:52:54 8b6060 XCOMSSSL 5107 Supported Compression = <00> ( NULL )
14:52:54 8b6060 XCOMSSSL 5136 Hello Extension Length = <0045> ( 69 )
14:52:54 8b6060 XCOMSSSL 5150 +Client_Hello Extension = <002B> ( Supported_Versions )
14:52:54 8b6060 XCOMSSSL 5577 Supported_Versions Ext Len = <0007> ( 7 )
14:52:54 8b6060 XCOMSSSL 5586 Supported_Versions List len = <06> ( 6 )
14:52:54 8b6060 XCOMSSSL 5599 Supported_Versions = <03.03> ( TLSv1.2 )
14:52:54 8b6060 XCOMSSSL 5606 = <03.02> ( TLSv1.1 )
14:52:54 8b6060 XCOMSSSL 5606 = <03.01> ( TLSv1.0 )
14:52:54 8b6060 XCOMSSSL 5150 +Client_Hello Extension = <0017> ( Extended_Master_Secret )
14:52:54 8b6060 XCOMSSSL 5623 Extended Master Secret Len = <0000> ( 0 )
14:52:54 8b6060 XCOMSSSL 5150 +Client_Hello Extension = <000A> ( Elliptic_Curves )
14:52:54 8b6060 XCOMSSSL 5164 Elliptic Curve Ext Length = <000C> ( 12 )
14:52:54 8b6060 XCOMSSSL 5173 Elliptic Curve List Length = <000A> ( 10 )
14:52:54 8b6060 XCOMSSSL 5188 Elliptic Curve = <0015> ( secp224r1 )
14:52:54 8b6060 XCOMSSSL 5206 <0017> ( secp256r1 )
14:52:54 8b6060 XCOMSSSL 5206 <0018> ( secp384r1 )
14:52:54 8b6060 XCOMSSSL 5206 <0019> ( secp521r1 )
14:52:54 8b6060 XCOMSSSL 5206 <0013> ( secp192r1 )
14:52:54 8b6060 XCOMSSSL 5150 +Client_Hello Extension = <000B> ( EC_Point_Formats )
14:52:54 8b6060 XCOMSSSL 5224 EC Point Format Ext Length = <0002> ( 2 )
14:52:54 8b6060 XCOMSSSL 5233 EC Point Format List Length = <01> ( 1 )
14:52:54 8b6060 XCOMSSSL 5247 EC Point Format = <00> ( uncompressed )
14:52:54 8b6060 XCOMSSSL 5150 +Client_Hello Extension = <000D> ( Signature_Algorithm )
14:52:54 8b6060 XCOMSSSL 5282 Signature Algorithm Length = <001C> ( 28 )
14:52:54 8b6060 XCOMSSSL 5291 Signature Algorithm List Ln = <001A> ( 26 )
14:52:54 8b6060 XCOMSSSL 5307 Signature/Hash Algorithm = <06 / 01> ( SHA512 / RSA )
14:52:54 8b6060 XCOMSSSL 5330 <06 / 03> ( SHA512 / ECDSA )
14:52:54 8b6060 XCOMSSSL 5330 <05 / 01> ( SHA384 / RSA )
14:52:54 8b6060 XCOMSSSL 5330 <05 / 03> ( SHA384 / ECDSA )
14:52:54 8b6060 XCOMSSSL 5330 <04 / 01> ( SHA256 / RSA )
14:52:54 8b6060 XCOMSSSL 5330 <04 / 03> ( SHA256 / ECDSA )
14:52:54 8b6060 XCOMSSSL 5330 <04 / 02> ( SHA256 / DSA )
14:52:54 8b6060 XCOMSSSL 5330 <03 / 01> ( SHA224 / RSA )
14:52:54 8b6060 XCOMSSSL 5330 <03 / 03> ( SHA224 / ECDSA )
14:52:54 8b6060 XCOMSSSL 5330 <03 / 02> ( SHA224 / DSA )
14:52:54 8b6060 XCOMSSSL 5330 <02 / 01> ( SHA1 / RSA )
14:52:54 8b6060 XCOMSSSL 5330 <02 / 03> ( SHA1 / ECDSA )
14:52:54 8b6060 XCOMSSSL 5330 <02 / 02> ( SHA1 / DSA )
14:52:54 8b6060 XCOMSSSL 7664 ======================================= SSL Record End ======================================
14:52:54 8b6060 XCOMSSSL 7420 ======================================= SSL Record Begin ======================================
14:52:54 8b6060 XCOMSSSL 7901 Received Alert = <15> ( SSL3_RT_ALERT )
14:52:54 8b6060 XCOMSSSL 7907 SSL Version = <03.03> ( TLSv1.2 )
14:52:54 8b6060 XCOMSSSL 7915 Length = <0002> ( 2 )
14:52:54 8b6060 XCOMSSSL 7108 Alert_Level = <02> ( SSL3_AL_FATAL )
14:52:54 8b6060 XCOMSSSL 7112 Alert_Description = <28> ( SSL3_AD_HANDSHAKE_FAILURE )
14:52:54 8b6060 XCOMSSSL 7831 ======================================= SSL Record End ======================================
Note that TLS_RSA_WITH_3DES_EDE_CBC_SHA is missing from the "client hello" message which causes the partner to abort the handshake
Feedback
Yes
No
Powered by
