z/TPF - Group home

SNI and cipher list preference support for SSL sessions (APAR PJ46661)

By Angel Baez posted Wed January 19, 2022 01:26 PM


SNI and cipher list preference support for SSL sessions provides the capability to set the Server Name Indication (SNI) extension for Secure Sockets Layer (SSL) sessions and to control the cipher list preference for z/TPF servers.

SNI is a Transport Layer Security (TLS) extension that is required for z/TPF clients that connect to remote servers. The SNI specifies the host name of the remote server that connects to the client before the TLS handshake. If the client does not specify an SNI that is required by a server, the handshake cannot successfully complete.

With this support, you can use the SSL_set_tlsext_host_name and SSL_get_servername functions to set and get the SNI for z/TPF SSL sessions. In addition, when a host name is provided, the following middleware packages can issue the SSL_set_tlsext_host_name function to automatically set the SNI:
  • The high-speed connector
  • The enhanced HTTP client that uses high-speed connector for persistent sessions
  • The enhanced HTTP client for non-persistent sessions

Additionally, this support adds the SSLSERVP parameter to keypoint 2 (CTK2) and the ZNKEY command. z/TPF SSL servers can change this parameter to control whether to use the cipher list preference of the client or the cipher list preference of the server.

For more information about APAR PJ46661, see the APEDIT.