July 10th 2023 Dear Connect:Direct for i5/OS customer, Enclosed please find a CD containing the latest cumulative maintenance for Connect:Direct for i5/OS 3.8.03 Please call IBM for details on IBM APARs. Cumulative Maintenance Contents: 2307A ---------------------------------------------- All the modified objects which are addressed by following issues. ======================= D380F1503A ================================ APAR IT06028 Process is not running using permanent session managers. Solution: Put a counter in to allow 15 processes to run, then start a new session manager, working on a more permanent fix. Object: PMGR - PMGR (PGM) IT07472 Error CSPA081E-Unable to initialize workspace, after upgrading to 3.8, remote netmap was not in SPADMIN. Solution: Put back in logic to issue a warning Object: SMMAIN - SMMAIN (PGM) IC99154 If the SNODEID JOBD has more then 52 libraries in their list we receive an error CPF9999 Solution: Increase variables to allow for larger library lists. Object: XRTVUSRL - RMTSYSTEM (PGM) IT07616 Long delay on DNS lookup as the DNS server is not responding to a IPv6 request. Solution: Change the getaddrinfo() call to use AI_ADDRCONFIG flag Object: SDIP_TCPIP - SMMAIN (PGM) IT08034 Can not send secure to SI/CDSA 5.2.4.0 getting CSPA203E error. CDSA only supports SSL & TLS can not take TLS1.2 handshake. Solution: Change SPADMIN to allow only one protocol to be entered. Changed to toolkit to only turn on one protocol, not higher. Object: SPADMIN2 - SPADMIN (PGM) CDSSLGSK - SMMAIN (PGM) ======================= D380F1506A ================================ APAR IT09661 Added fix from 3.7: IC94327 A MBCS transfer using codepage(284, 1208) is successful but there is some garbage in the destination file Solution: Clean up the use of some of the internal variables used for iconv() that were causing errors on new i5/OS releases. Object: SMCOPY - SMMAIN (PGM) ======================= D380F1507A ================================ IT08726 z/OS Sending a binary file to i5 IFS will end with error ACOP009I if source file length greater then 32754 Solution: Remove logic on record length change for IFS files. Object: SMFILE - SMMAIN (PGM) ======================= D380F1508A ================================ IT10851 During a Secure+ session a C:D server may create multiple SSL records when encrypting a buffer for transmission. If the remote node cannot handle multiple records, the session fails. Solution: Decrypt the data a second time if only 1 byte was decrypted during the first attempt. Object: CDSSLGSK - SMMAIN (PGM) ======================= D380F1510A ================================ IT11651 CDSMGR hangs - joblog shows The pointer parameter passed to free or realloc is not valid. Solution: Removed logic that was causing the error. Object: SMPROC - SMMAIN (PGM) ======================= D380F1511A ================================ IT12308 >>>> Message "ID" Not found was displaying instead of the proper message text. Solution: Corrected the corrupt message file. Object: NDMMESSAGE - (FILE) ======================= D380F1601A ================================ Internal: Any user can access the SPADMIN (Secure+ Admin Utility) panel. Solution: Corrected the program to only allow those users with administrative authority to access this panel. Object: SPADMIN - (PGM) Internal: C2M3003 - Data was truncated on an input, output or update operation was appear in the joblog for each record read when running SPADMIN. Solution: Corrected the program so the messages no longer appear in the joblog. Object: SPADMIN - (PGM) ======================= D380F1601B ================================ IT13286 Ending a 5250 session abnormally makes the interactive job generate a huge number of spool files while running SPADMIN. Solution: End the program with minimal errors when the 5250 session is ended abnormally. Object: SPADMIN2 - (PGM) ======================= D380F1602A ================================ IT13235 The Translation table cannot tranlate some traditional Chinese characters. Solution: Opened the rules to include hex value x'FB' through x'FE' Object: CRTCDXTC - CRTCDXTC (PGM) ======================= D380F1602B ================================ ENHANCEMENT *PUBLIC authority needs to be set to *EXCLUDE on all objects in the Connect:Direct library. Solution: A new command can be run that will modify the authority on all Connect:Direct objects. The Connect:Direct Administrator will become the owner, *PUBLIC will be set to *EXCLUDE and a specified group profile (ibm i user id of choice) will be granted *USE access. Object: SETCDAUT - (CMD) SETCDAUT SETCDAUTV - (CL) SETCDAUT - (PNLGRP) ======================= D380F1603A ================================ Internal Some defects from 3.7 were never synched into 3.8 IC91866 CDSND fails with RACF error but retries the connection the command should not retry a security failure. Solution: Corrected logic if error was found not to continue. Object: SDIP_TCPIP - SMMAIN (PGM) IC92491 MCH3601 error from module SDIP_TCPIP from procedure tcp_read_header. Solution: Added additional logic checking for readv(). Object: SDIP_TCPIP - SMMAIN (PGM) IC94325 Using I5OS in netmap with CDRCV gives a message 'Error detected in prompt override program command string' Solution: Correct logic checking. Object: GETENVIRN - CDRCV (PGM) ======================= D380F1604A ================================ ENHANCEMENT Full support of Connect Direct in an iASP. Solution: Two new commands have been created to provide full support of Connect Direct in an iASP. UPDCDIASP will update your Connect Direct system when you have manually moved your system to an iASP. SETCDIASP will move your Connect Direct system to an iASP. Review the word documents to determine which command should be run to add full support of an iASP to your Connect Direct system. Object: SETCDIASP UPDCDIASP - (CMD) SETCDIASP STRCD UNINSTALLM UPDATECD UPDCDIASP STRCD - (CL) PMGR - (PGM) SETCDIASP UPDCDIASP - (PNLGRP) ======================= D380F1604B ================================ IT14898 Secure Plus Protocol Flags not behaving as expected. Solution: Made the Secure Plus work more consistently with the new versions of C:D Unix and C:D Windows Object: SDIP_TCPIP - SMMAIN (PGM) CDSSLGSK - SMMAIN (PGM) ======================= D380F1605A ================================ IT15127 Receiving error ASMT015I - Unable to establish the specified security environment when a multi-process is submitted with 2 different user id's. Solution: Ended the RMTSYSTEM job at the end of each process allowing to new process to start with current credentials. Object: SMPROC - SMMAIN (PGM) ======================= D380F1607A ================================ IT16155 When sending a file from the IFS file system and compression was turned on, the file was not being compressed and the resulting file was larger than the original file. Solution: Corrected the compression logic. Object: SMCOPY - SMMAIN (PGM) ======================= D380F1608A ================================ IT16725 During a Secure+ session a C:D server the snode on occasions will hang. This is because of the combination of the buffer size and file size. When there is only 1 byte left to decrypt, the program assumes the beast remediation virus code is in place and attempts to decrypt the remaining data when there is none. This causes the snode to hang. Solution: Verify there is more data to be decrypted before performing the decrypt function again. Object: CDSSLGSK - SMMAIN (PGM) ======================= D380F1612A ================================ IT18334 Source members were missing from the CDXTSOURCE file. Also corrected some help text for the CDRUNTASK command. Solution: Added the source members back to the CDXTSOURCE file. Object: CDXTSOURCE - (FILE) NDMGENERAL - (PNLGRP) ======================= D380F1701A ================================ IT18859 When CHGCDPARM was run directly from a command line, some of the INITPARMS were removed. Solution: Force CHGCDPARM to be run from the menu system in Connect:Direct. Object: CHGCDPARM - (COMMAND) ======================= D380F1703A ================================ IT19548 Blocking had been removed causing a slow down when large files with small record lengths were being transmitted. Solution: Added blocking back. Object: SMFILE - SMMAIN (PGM) SMCOPY - SMMAIN (PGM) ======================= D380F1704A ================================ ENHANCEMENT Added Max Global Concurrent Session parameter to the Connect:Direct Parameters (INITPARMS). Solution: This new parameters controls the total number of incoming and outgoing sessions that you can have running simultaneously as defined in your Connect:Direct contract agreement. When this fix is loaded, it will populate this new fields with the value that resides in the Maximum synchronous sessions field. If this is not the value defined in your contract agreement, you will need to modify this new value through the Change C:D parms (CHGCDPARM) panel - Option 1 from the Connect:Direct Administration menu. Object: CNVCDPARM CHGCDPARM - (CMD) CHGCDPARM EDITCHG - (CL) CNVCDPARM GETCDPARM INITPARMS PMGR WRKSTSC - (PGM) CHGCDPARM NDMGENERAL WRKCDSTS - (PNLGRP) ======================= D380F1706A ================================ IT21110 When adding a new entry in SPADMIN by using the F6 key, the node name was created as blanks. Solution: Created the new record with the node name entered. Object: SPADMIN2 - SPADMIN(PGM) ======================= D380F1707A ================================ IT20960 Added a condition on CDCOMP command to check if the input file is a save file since compression is not allowed for save files. Solution: Added condition to check file type. Object: EDITCOMP - (PGM) ======================= D380F1709A ================================ IT21585 When two PNODES initiated file transfer with same process numbers, submitter IDs and similar node names the SNODE reports error ACDU001I and ACDU010I. Solution: Modified creation of process storage name and FMH72 sent from the PNODE to carry TDSB bits as well. Object: SMPROC - SMMAIN (PGM) ======================= D380F1712A ================================ Internal Secure+ changes done for 3.8 release modified three structures corresponding to three statistics events. This was leading to truncated values in Control Center reports. Solution: Modified the size of KQV_MERGE_PROTOC and merge_protoc to 12 byte from the existing 8. This is done for SMSTST and SMSTTM events. Object: STATEVENT - STATMGR (PGM) Internal When the instance of C:D is a GA version, the version information is blank. This will produce a version to be displayed as Connect:Direct 3.8.00 PTF 0000 The extra space between the Direct and with is the empty version. Solution: Modified the program to insert the GA version information in the first portion of the message to replace the ' ' that is currently showing up. Object: CDVER - (CL) ======================= D380F1802A ================================ Internal On Secure+ Admin screen Default to local node does not retain its value. When set to 'Y' the LCLNODE ciphers are not copied and empty list is duplicated. Solution: Resolved this problem by using the ciphers of local node to copy on the current node. To avoid the duplication of cipher list, used the API to delete list after cipher selection is done. We used a member in relevant structure to keep 'default to local' so the value will persist per node. Object: SPADMIN2 - SPADMIN(PGM) ======================= D380F1804A ================================ IT24685 In a secure+ transfer from SI to i5, i5(Snode) sends first FMH70 with the max buffer value i.e 65535.The SI side has buffer set to 32K(which is too high for i5 in case of secure transfer). So i5 gets FMH70 back with 32K as the buffer size because it will negotiate down to smaller size. And the transfer gets failed as maximum buffer size for i5 in case of secure+ is 16K. Solution: Introduced a check to ensure that the RUSZ in first FMH70 should always be set to 16K when Secure+ is enabled and buffer size in netmap is greater than 16K. No change in case of Non secure transfer, buffer size will be negotiated as per entry in the netmap. Object: SMPROC - SMMAIN (PGM) ======================= D380F1805A ================================ IT24986 After successful completion of a RUNTASK the correct message text was not displayed in the traces. Instead of the expected message the traces printed an error message "Message "ID" Not found in Message File" Solution: Removed the extra erroneous "INSERT" and "DELETE" lines in the text file msgsrc_seq.txt. After building the CD library again the corruption in NDMMESSAGE file got resolved. Object: NDMMESSAGE (FILE) ======================= D380F1809A ================================ IT26101 Normal end disposition and abnormal end disposition are not applicable for Sterling Connect:Direct for i5/OS. Solution: Hidden these options in From Disposition (FDISP) parameter of the CDSND and CDRCV commands. The default value is now displayed as NONE. Help panels are updated to display the correct information which can be accssed by using F1 key. Object: CDSND - (CMD, CL) CDRCV - (CMD, CL) ======================= D380F1905A ================================ IT29098 Error observed when trying to add user by ADDCDUSR or WRKCDUSR command - "Open of member CDUSER was changed to SEQONLY(*NO)" Solution: The maximum number of users which can be added in the CDUSER file was limited to 4000. However the CDUSER file is capable of holding 10000 records. Modified the limit and increased it to allow 10000 users. Object: WRKUSRC2 - WRKCDUSR (PGM) ======================= D380F1907A ================================ IT29717 When CDU server is the Snode doing server authentication with a CD i5 Pnode and the CDU server's certificate exceeds the 16,000B buffer limit required by CD i5 - It leads to failure of SSL handshake because CD i5 truncates the CDU's certificate before passing it to the GSKit. Solution: The buffer limitation of 16,000B on CD i5 is too small. It has been increased to allow for the very largest TLS message plus its header. Object: RMTSYSTEM - RMTSYSTEM (PGM) ======================= D380F1910A ================================ IT30642 Secure+ parameter "Auth. Time Out", can be defined in both the *LCLNODE and in a Remote Node. If in the *LCLNODE you have set "Override Security:Y" then the value of "Auth. Time Out" should come from the Remote Node entry. This is not happening. Solution: Secure+ parameter "Auth. Time Out" not being honoured in Remote Node. This fix allows remote node time out value in case Override Security:Y in LCLNODE. Object: SMPROC - SMMAIN (PGM) ======================= D380F2002A ================================ IT31998 When sending a file with 287 fields and parameter SNDFFD(*YES) set in the FMSYSOPTS then the transfer fails and proper error message is not printed. Solution: The FFD size in copy block has been raised to 16K from earlier 12K and an error message AFLH090I has been created to print the cause of failure in case FFD exceeds maximum allowed. Object: SMCOPY - SMMAIN (PGM) ======================= D380F2002B ================================ IT32014 User Space objects not getting deleted in cdcleanup job run. Since size of user space to keep the list was small. It was not able to keep all the entries returned by QUSLOBJ API. Solution: The user space size was 65 kb. This size has been increased to maximum size of 16 Mb for user space. Object: CDCKPTDAYS - CDCKPTDAYS (PGM) ======================= D380F2005A ================================ IT32845 With TLS1.3 available and enabled, a loopback test fails with SNODE timing-out. CD does not currently support TLS1.3 Solution: TLS1.3 is disabled in Secure+ until supported. Object: CDSSLGSK ======================= C38022006A ================================= IT33308 For IFS, CD does not use the SPOE user profile or the SNODEID for receiving the files thus the ownership of the files received is always CDADMIN. Also, the permission of the files received is always *RWXRWXRWX irrespective of the its parent directory permission. Currently, CD does not use inherited authority on new files. Solution: Whenever new file transfer request is received, SMGR would now be run under the SPOE user profile or the SNODEID in the received process. So that the new files created on Cd i5 has the ownership of the SPOE or SNODEID. Also, new parameter "Set Private Authority" has been introduced which would enable/disable CD i5 to handle the inherited authority on the new files created in directory on IFS. By default, this parameter would be set as "*NO" meaning CD i5 would not handle inherited authority. Object: CHGCDPARM EDITCHG - (CL) CHGCDPARM - (CMD) CHGCDPARM - (PNLGRP) GETCDPARM INITPARMS PMGR WRKSTSC SMPROC STRMIO - (PGM) IT33274 CDTCPL job gets an EAGAIN errno on socket accept() call and enter in a retry/restart socket mode but fails to bind() on the new created socket. After some retries, job terminates with a forced sigterm and is restarted by CDPMGR. Solution: Socket accept() call better manages EAGAIN error and does not fail as before. Object: CDTCPL ======================= C38022008A ================================= IT33861 The size of user space to be created was having wrong value of 16,776,704 bytes. Solution: The size of user space is now corrected for optimum alignment with value 16,773,120 bytes. Object: CDCKPTDAYS - CDCKPTDAYS (PGM) ======================= C38022009A ================================= IT34272 TLS1.0 ciphers are enabled whatever TLS1.0 is selected or not in Secure+. TLS1.0 ciphers are sent on Client Hello in addition to Secure+ selected ciphers. A wrong cipher may be selected by server. Solution: TLS1.0 is only enabled when selected. Object: SMMAIN (PGM) ======================= C38032010A ================================= Version 3.8.03 Secure+ Enhancements: - Support for TLS 1.3 - Support for ECHDE cipher suites - Support for selecting secure protocols individually - Enhanced Secure+ logging in the CDSMGR CDLOG - The default protocol of a new node is now TLS 1.2 - Support for security modes About TLS1.3 support: TLS1.3 is available on OS Level 7.3 and up with appropriate OS fixes applied: 7.3: see https://www.ibm.com/support/pages/node/687743 7.4: see https://www.ibm.com/support/pages/node/1071614 Without TLS1.3 installed, Secure+ will disable TLS1.3 support. Available and configurable Ciphers: SSL V3 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 0005 TLS_RSA_WITH_RC4_128_SHA 0004 TLS_RSA_WITH_RC4_128_MD5 0009 TLS_RSA_WITH_DES_CBC_SHA 0002 TLS_RSA_WITH_NULL_SHA 0001 TLS_RSA_WITH_NULL_MD5 TLS1.0 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 0002 TLS_RSA_WITH_NULL_SHA TLS1.1 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 0002 TLS_RSA_WITH_NULL_SHA TLS1.2 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 CCA9 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 CCA8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 009C TLS_RSA_WITH_AES_128_GCM_SHA256 009D TLS_RSA_WITH_AES_256_GCM_SHA384 003C TLS_RSA_WITH_AES_128_CBC_SHA256 003D TLS_RSA_WITH_AES_256_CBC_SHA256 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA C027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 C023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS1.3 1301 TLS_AES_128_GCM_SHA256 1302 TLS_AES_256_GCM_SHA384 1303 TLS_CHACHA20_POLY1305_SHA256 Available Security Modes: FIPS 140-2: Enables all of the necessary settings to operate in FIPS-compliant mode. This setting tracks relevant standards and may change if the relevant standards change. SP800 131A: Enables all of the necessary settings to operate in SP800-131a mode. This setting tracks relevant standards and may change if the relevant standards change. SUITEB 128BIT: Enables all of the necessary secure operation settings so SSL/TLS will operate in the 128-bit security level of TLS Suite B Profile mode as per RFC 6460. SUITEB 192BIT: Enables all of the necessary secure operation settings so SSL/TLS will operate in the 192-bit security level of TLS Suite B Profile mode as per RFC 6460. Vaccinate : Enables all of the recommended settings and tracks security vulnerability issues, allowing the application to remain secure. Currently, vaccinate sets the following: SSLV2HELLO_ENABLE OFF PROTOCOL_SSLV2 OFF PROTOCOL_SSLV3 OFF PROTOCOL_TLSV12 ON PROTOCOL_TLSV13 ON FIPS_MODE_PROCESSING ON SSL_EXTN_SIGALG ECDSA_WITH_SHA512, ECDSA_WITH_SHA384, ECDSA_WITH_SHA256, RSA_WITH_SHA512, RSA_WITH_SHA384, RSA_WITH_SHA256 When a security mode is enabled it is also mandatory to select the secure protocols S+ will enable. Depending on the selected security mode, some selected secure protocols will be disabled by S+ when a secure session is initialized. The following secure protocols will be forced to disabled if selected: For FIPS 140-2: SSLV3 For SP800 131A: SSLV3, TLSV1.0, TLSV1.1 For SUITEB 128BIT: all but TLSV1.2 For SUITEB 192BIT: all but TLSV1.2 For Vaccinate: all but TLSV1.2 & TLSV1.3 Intersection between selected protocols and available protocols for a particular security mode may result in an empty protocol list. Secure session will fail. On the other hand, if a security mode is selected and a subset of the allowed protocols are selected, this security protocol will execute with only this subset. For example, Vaccinate + TLSV1.3: Vaccinate mode will run with only TLSV1.3 enabled. Note on CDJOBD: Job description is changed to allow multithreading as CDSMGR requires it. CRTCDOBJ, SETCDIASP and UPDATECD commands set CDJOBD with this new required parameter. Note on SPNTMP file: This file is converted to a new format to handle secure+ additions. ======================= C38032104A ================================= IT36603 When handshake process was redesigned to support TLS1.3, one previous fix was lost. APAR IT29717 was not ported back to version 3.8.0.3 PTF C38032010A. Some handshake can fail if message size is too small. Solution: Port back APAR IT29717. Object: SMMAIN (PGM) ======================= C38032105A ================================= IT37012 With QNTC file system in IBM i 7.4, the file transfer completes successfully but incomplete file is transferred to remote partner from IBM i system. On checking the CDLOG, you will see a success in file transfer and a false compression percentage. Solution: Due to limitation on record length of file in IBM i, this restriction has been applied to limit it to 32768 bytes for file in IFS. Object: SMFILE - SMMAIN (PGM) ======================= C38032105B ================================= UPDATECD command does not update correctly CDJOBD Job Description when CD is on iASP. CDJOBD is updated on the wrong library. The JOBD ALWMLTTHD parameter is not correctly updated to the expected value *YES. Transfers with S+ fail as SMGR can't start a necessary thread for handshake part. Solution: CDJOBD object is correctly updated. Object: UPDATECD ======================= C38032109A ================================= IT38297 When permanent session managers are set, a first session works correctly, the second one makes the session manager crash and restart. Solution: A memory overlay occurred in the second session and is fixed. Object: SMMAIN (PGM), STRCD(CMD) ======================= C38032109B ================================= IT38462 When more than 1 listening address is defined in initparm and one of them is a duplicate or fails to bind, a listen counter is wrong. After some delay (100 accepted incoming connection), CDTCPL Job abnormally ends due to a non monitored MCH3601 message. Solution: The number of valid listening addresses is fixed and MCH3601 no longer occurs. Object: CDTCPLIST (PGM) ======================= C38032109C ================================= IT38667 Some CD components may crash when trace is on. The CDTRACE call stack is not enough sized to store the full call history when calls are too deep. Solution: The call stack size is correctly sized. Object: CDTRACE (SRVPGM) ======================= C38032202A ================================= IT39911 TLS handshake does not consume all data returned from the Global Security Kit (GSK). Next encrypted buffer (not a data buffer) after handshake is corrupted. Solution: All data is correctly consumed and encrypted buffer is no longer corrupted. Object: SMMAIN (PGM) ======================= C38032204C ================================= IT40845 Due to same timestamp of records in statistics the order by option does not produce promising result. Every time results are different. Solution: Added a sequence number field in statistics which can be used to uniquely identify the records by using both timestamp and sequence number while fetching the records from statistics using SQL query Object: STATMGR (PGM) ======================= C38032205A ================================= IT40844 CDSND with SNDFFD(*YES) fails with AFLH086I when there is more than 99 fields. Solution: The data area used to transport fields description has been extended. Object: SMMAIN (PGM) ======================= C38032209A ================================= IT41961 Connect:Direct for i5/OS uses zlib, which is vulnerable to the following issue: CVE-2018-25032: Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By persuading a victim to open a specially-crafted file using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash. Solution: The vulnerability has been fixed by upgrading zlib to version 1.2.12 Object: ZLIB (PGM) ======================= C38032303A ================================= IT43372 Initiating a session from CD ZOS to CD i5 using TLS13 and ZIIP=all or SSTLS will end with error CSPA204E SSL receive failure, rc=-00000506, rsn=N/A After a successful TLS1.3 handshake CDi5 sends a second session ticket and CDzOS in ZIIP mode does not accept it. CDzOS running in SRB mode can't accept new handshake records. Solution: The new session ticket is no longer sent after handshake. Object: SMMAIN (PGM) ======================= C38032303B ================================= IT43407 TLS Handshake timeout when connection is slow or system busy. There is an error in the handshake process where network sockets are not read correctly on slow connection. Solution: The handshake process was fixed. Object: SMMAIN (PGM) ======================= C38032307A ================================= IT44116 Secure plus file transfer failing on IBM i 7.2 after applying maintenance to CD i5/OS 3.8.0.3_iFix008. The secure session ticket attribute is available only on IBM i 7.3 and above, resulting in failure of TLS handshake on IBM i 7.2. Solution: The secure session ticket arrtibute handling has been done by setting it only if its supported and available in system. Object: SMMAIN (PGM)