Chris Meyer wrote: >I checked with the System SSL folks on this. >It sounds like what you're observing is a difference in default System >SSL certificate validation mode settings Between TLSv1.2 and TLSv1.3. >See the description of the System SSL GSK_CERT_VALIDATION_MODE >parameter in this table: >https://www.ibm.com/docs/en/zos/3.1.0?topic=programming-environment-variables. >Note that the default for TLSv1.2 (and earlier) is ANY, which initally >validates against RFC 2459 which has the relaxed requirements >regarding the critical bit. For TLSv1.3, however, System SSL defaults >to RFC 5280 checking which requires the critical bit to be set.
>Based on what you've said in this thread, I'm assuming that you have >not specified a value for GSK_CERT_VALIDATION_MODE, as that would >result in the behavior you described. Ah HAH -- this has to be it! An no, we are not specifying a GSK_CERT_VALIDATION_MODE. All the doc says ANY is and remains the default. Are you saying that the default silently changes when it's TLSv1.3? If so, is that a code bug or a doc bug? It looks like an environment variable can change that setting, too. I'm going to see if I can get someone to replace the certificate with the "bad" one and try that. If that'll get us around it, we'll be good--if some customer hits it, we can say "Add this" and they'll be good to go. As I think I wrote before, I'm not all that worried about that happening, since any real modern root cert SHOULD have BC set correctly, but it would be good to know. Thanks! ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
