000013572 - 'System SSL: SHA-512 crypto assist is not available' is displayed on mainframe

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013572
Applies ToRSA Key Manager Client
Issue"System SSL: SHA-512 crypto assist is not available" is displayed on mainframe
"System SSL: SHA-512 crypto assist is not available" is displayed on mainframe

This is a message from the IBM SSL implementation to indicate that the SHA-512 algorithm is not available.  If the fix described below has been applied to IBM System SSL, the message can be turned off by setting the GSK_SSL_HW_DETECT_MESSAGE environment variable to 0:

http://www-1.ibm.com/support/docview.wss?uid=isg1OA25022

OA25022: SYSTEM SSL: SHA-512 CRYPTO ASSIST IS NOT AVAILABLE MESSAGE IS SEEN IN STRERR EVEN WITH GSK_SSL_HW_DETECT_MESSAGE=0.

APAR status
Closed as program error.

Error description
The message 'System SSL: SHA-512 crypto assist is not available'
is seen in stderr even if the Environment variable
GSK_SSL_HW_DETECT_MESSAGE is coded as a 0.

The problem is the { } brackets are missing in the following
If Statement, so the SHA-512 message will always be written.
  if (detect_messages)
    fprintf(stderr, "System SSL: SHA-384 crypto assist is not
available\n");
    fprintf(stderr, "System SSL: SHA-512 crypto assist is not
available\n");

Local fix

Problem summary
****************************************************************
* USERS AFFECTED: Users of System SSL that have applied new    *
*                 function APAR OA22451.                       *
****************************************************************
* PROBLEM DESCRIPTION: SHA-512 hardware detection message      *
*                      displays to user.                       *
****************************************************************
* RECOMMENDATION: APPLY PTF                                    *
****************************************************************
The message is output by new code introduced by the addition of
the new function - support for the SHA-512 digest algorithm.
During hardware detection the new code outputs a new message to
the stderr interface advising that "SHA-512 crypto assist is not
available" when SHA-512 support is not detected through CPACF.
The message is correct, but is output regardless of the
GSK_SSL_HW_DETECT_MESSAGE environment variable setting, which
the message reporting would normally depend on.
Problem conclusion
PROBLEM CONCLUSION:                                    col 64->|
System SSL has been modified so that during hardware detection,
if SHA-512 support is not detected, then the message "SHA-512
crypto assist is not available" is only output to stderr if the
GSK_SSL_HW_DETECT_MESSAGE environment variable is set to do so.
-
*--------------------------------------------------------------*
* The following defect is included in this fix:                *
*                                                              *
* 2296 HW Detection message always output - SHA-512 not        *
*      available                                               *
*--------------------------------------------------------------*

Legacy Article IDa41353

Attachments

    Outcomes