diff --git a/bin/start.sh b/bin/start.sh index 893118091..0a1df3986 100755 --- a/bin/start.sh +++ b/bin/start.sh @@ -173,7 +173,12 @@ if [[ "${OSNAME}" == "OS/390" ]]; then else ZSS_SERVER="${ZSS_SERVER_31}" fi - + + if [ "$ZWE_components_zss_agent_https_trace" = "true" ] && [ "$ZWES_LOG_FILE" != "/dev/null" ]; then + export GSK_TRACE_FILE="${ZWES_LOG_FILE}.tlstrace" + export GSK_TRACE=0xFF + fi + if [ "$ZWES_LOG_FILE" = "/dev/null" ]; then _BPX_SHAREAS=NO _BPX_JOBNAME=${ZWE_zowe_job_prefix}SZ ${ZSS_SERVER} --schemas "${ZWES_SCHEMA_PATHS}" --configs "${ZWES_CONFIG}" 2>&1 else diff --git a/c/zss.c b/c/zss.c index 8a79841e0..bce8aa91b 100644 --- a/c/zss.c +++ b/c/zss.c @@ -113,10 +113,7 @@ static int traceLevel = 0; TLS_SECP521R1 \ TLS_X25519 -#define DEFAULT_TLS_CIPHERS \ - TLS_AES_256_GCM_SHA384 \ - TLS_AES_128_GCM_SHA256 \ - TLS_CHACHA20_POLY1305_SHA256 \ +#define DEFAULT_TLS_CIPHERS_V12 \ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 \ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ @@ -124,6 +121,12 @@ static int traceLevel = 0; TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +#define DEFAULT_TLS_CIPHERS_V13 \ + TLS_AES_256_GCM_SHA384 \ + TLS_AES_128_GCM_SHA256 \ + TLS_CHACHA20_POLY1305_SHA256 \ + DEFAULT_TLS_CIPHERS_V12 + #define LOGGING_COMPONENT_PREFIX "_zss." static int stringEndsWith(char *s, char *suffix); @@ -1157,6 +1160,7 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh, } JsonObject *httpsConfigObject = jsonAsObject(httpsConfig); TlsSettings *settings = (TlsSettings*)SLHAlloc(slh, sizeof(*settings)); + settings->maxTls = jsonObjectGetString(httpsConfigObject, "maxTls"); char *ciphers = jsonObjectGetString(httpsConfigObject, "ciphers"); /* * Takes a string of ciphers. This isn't ideal, but any other methods are @@ -1164,7 +1168,15 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh, * * ciphers: 13021303003500380039002F00320033 */ - settings->ciphers = ciphers ? ciphers : DEFAULT_TLS_CIPHERS; + ECVT *ecvt = getECVT(); + /* + 2.3 (1020300) no tls 1.3 + */ + if ((ecvt->ecvtpseq > 0x1020300) && (settings->maxTls == NULL || !strcmp(settings->maxTls, "TLSv1.3"))) { + settings->ciphers = ciphers ? ciphers : DEFAULT_TLS_CIPHERS_V13; + } else { + settings->ciphers = ciphers ? ciphers : DEFAULT_TLS_CIPHERS_V12; + } /* * Takes a string of keyshares. This isn't ideal, but any other methods are * going to be fairly complicated. diff --git a/deps/zowe-common-c b/deps/zowe-common-c index d58dd0a5e..0d55d4724 160000 --- a/deps/zowe-common-c +++ b/deps/zowe-common-c @@ -1 +1 @@ -Subproject commit d58dd0a5ee84cbe8586fd3cfc197035d6f0d0670 +Subproject commit 0d55d47244d37b77bd156fc0376cc0c90e9592a2 diff --git a/schemas/zss-config.json b/schemas/zss-config.json index 592609692..aa2091e00 100644 --- a/schemas/zss-config.json +++ b/schemas/zss-config.json @@ -106,6 +106,11 @@ "$ref": "#/$defs/ipsAndHostnames", "default": [ "0.0.0.0" ] }, + "trace": { + "type": "boolean", + "description": "Enables TLS tracing to diagnose connection issues. Output will be within the zowe log directory.", + "default": false + }, "label": { "type": [ "string", "null" ], "description": "The label (aka alias), identifying the server's certificate in the key store" @@ -125,6 +130,12 @@ "keyshares": { "type": [ "string", "null" ], "description": "The list of key shares in order of priority" + }, + "maxTls": { + "type": [ "string", "null" ], + "enum": ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"], + "default": "TLSv1.3", + "description": "Maximum tls version allowed." } } },