zowe · 1000TurquoisePogs · Oct 16, 2023 · Sep 18, 2023 · Sep 18, 2023 · Sep 20, 2023
diff --git a/bin/start.sh b/bin/start.sh
@@ -173,7 +173,12 @@ if [[ "${OSNAME}" == "OS/390" ]]; then
   else
     ZSS_SERVER="${ZSS_SERVER_31}"
   fi
-
+
+  if [ "$ZWE_components_zss_agent_https_trace" = "true" ] && [ "$ZWES_LOG_FILE" != "/dev/null" ]; then
+    export GSK_TRACE_FILE="${ZWES_LOG_FILE}.tlstrace"
+    export GSK_TRACE=0xFF
+  fi
+
   if [ "$ZWES_LOG_FILE" = "/dev/null" ]; then
     _BPX_SHAREAS=NO _BPX_JOBNAME=${ZWE_zowe_job_prefix}SZ ${ZSS_SERVER} --schemas "${ZWES_SCHEMA_PATHS}" --configs "${ZWES_CONFIG}" 2>&1
   else

diff --git a/build/zis.proj.env b/build/zis.proj.env
@@ -1,4 +1,4 @@
 PROJECT="zis"
-VERSION=2.11.0
-DYNLINK_PLUGIN_VERSION=4
+VERSION=2.12.0
+DYNLINK_PLUGIN_VERSION=5
 DEPS=""
diff --git a/build/zss.proj.env b/build/zss.proj.env
@@ -1,5 +1,5 @@
 PROJECT="zss"
-VERSION=2.11.0
+VERSION=2.12.0
 DEPS="QUICKJS LIBYAML"
 
 QUICKJS="quickjs"

diff --git a/c/zss.c b/c/zss.c
@@ -108,14 +108,25 @@ static int traceLevel = 0;
 
 #define JSON_ERROR_BUFFER_SIZE 1024
 
-#define DEFAULT_TLS_CIPHERS               \
+#define DEFAULT_TLS_KEY_SHARES  \
+  TLS_SECP256R1                 \
+  TLS_SECP521R1                 \
+  TLS_X25519
+
+#define DEFAULT_TLS_CIPHERS_V12           \
   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     \
   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     \
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   \
   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 
+#define DEFAULT_TLS_CIPHERS_V13           \
+  TLS_AES_256_GCM_SHA384                  \
+  TLS_AES_128_GCM_SHA256                  \
+  TLS_CHACHA20_POLY1305_SHA256            \
+  DEFAULT_TLS_CIPHERS_V12
+
 #define LOGGING_COMPONENT_PREFIX "_zss."
 
 static int stringEndsWith(char *s, char *suffix);
@@ -1149,7 +1160,31 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh,
   }
   JsonObject *httpsConfigObject = jsonAsObject(httpsConfig);
   TlsSettings *settings = (TlsSettings*)SLHAlloc(slh, sizeof(*settings));
-  settings->ciphers = DEFAULT_TLS_CIPHERS;
+  settings->maxTls = jsonObjectGetString(httpsConfigObject, "maxTls");
+  char *ciphers = jsonObjectGetString(httpsConfigObject, "ciphers");
+  /* 
+   * Takes a string of ciphers. This isn't ideal, but any other methods are
+   * going to be fairly complicated.
+   *
+   * ciphers: 13021303003500380039002F00320033
+   */
+  ECVT *ecvt = getECVT();
+  /*
+     2.3 (1020300) no tls 1.3
+  */
+  if ((ecvt->ecvtpseq > 0x1020300) && (settings->maxTls == NULL || !strcmp(settings->maxTls, "TLSv1.3"))) {
+    settings->ciphers = ciphers ? ciphers : DEFAULT_TLS_CIPHERS_V13;
+  } else {
+    settings->ciphers = ciphers ? ciphers : DEFAULT_TLS_CIPHERS_V12;
+  }
+  /* 
+   * Takes a string of keyshares. This isn't ideal, but any other methods are
+   * going to be fairly complicated.
+   *
+   * keyshares: 002300250029
+   */
+  char *keyshares = jsonObjectGetString(httpsConfigObject, "keyshares");
+  settings->keyshares = keyshares ? keyshares : DEFAULT_TLS_KEY_SHARES;
   settings->keyring = jsonObjectGetString(httpsConfigObject, "keyring");
   settings->label = jsonObjectGetString(httpsConfigObject, "label");
   /*  settings->stash = jsonObjectGetString(httpsConfigObject, "stash"); - this is obsolete */

diff --git a/deps/zowe-common-c b/deps/zowe-common-c
diff --git a/manifest.template.yaml b/manifest.template.yaml
@@ -3,7 +3,7 @@ name: zss
 # Component identifier. This identifier matches artifact path in Zowe Artifactory https://zowe.jfrog.io/.
 id: org.zowe.zss
 # Without the v
-version: 2.11.0
+version: 2.12.0
 # Component version is defined in gradle.properties for Gradle project
 # Human readable component name
 title: Zowe System Services (ZSS)

diff --git a/schemas/zss-config.json b/schemas/zss-config.json
@@ -106,6 +106,11 @@
               "$ref": "#/$defs/ipsAndHostnames",
               "default": [ "0.0.0.0" ]
             },
+            "trace": {
+              "type": "boolean",
+              "description": "Enables TLS tracing to diagnose connection issues. Output will be within the zowe log directory.",
+              "default": false
+            },
             "label": {
               "type": [ "string", "null" ],
               "description": "The label (aka alias), identifying the server's certificate in the key store"
@@ -117,6 +122,20 @@
             "password": {
               "type": [ "string", "null" ],
               "description": "The password to the keyring"
+            },
+            "ciphers": {
+              "type": [ "string", "null" ],
+              "description": "The list of ciphers in order of priority"
+            },
+            "keyshares": {
+              "type": [ "string", "null" ],
+              "description": "The list of key shares in order of priority"
+            },
+            "maxTls": {
+              "type": [ "string", "null" ],
+              "enum": ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"],
+              "default": "TLSv1.3",
+              "description": "Maximum tls version allowed."
             }
           }
         },