[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: No Matching Cipher Suite. V7.1
ERROR: (GSKit) An error occurred during SSL processing that was not
expected.
RESOLUTION:
Applying the following PTFs and performing an IPL resolved our issue,
we are on V7R2M0
From IBM:
do the following to check for VLOGS:
1) On the IBM i command line type STRSST
2) Signon with your DST userid/password.
3) Take an opt. 1 --> opt. 5 --> opt. 1 and hit ENTER
4) If you see any 'Local Sockets' VLOGS with a major code of 2C00 take
an opt. 1 to dump these to printer.
5) We can then exit SST and we'll want to send in the resulting spool
files.
We'll also want to check the system to see if the following PTFs are
applied:
MF99105
MF62565
MF61742
If these are not applied we would recommend getting them installed with
an IPL as they address an issue with SSL relating to Power8 machines at
V7R2.
[1]www.pilotpen.us
Chris Hayden - Sr. Systems Analyst
Office: (904) 645-9999 ext.1252
Mobile: 904-654-4089
Pilot Corporation of America
3855 Regent Blvd, Jacksonville, Florida 32224 United States
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. This message contains confidential information and
is intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system. If you
are not the intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance on the contents
of this information is strictly prohibited.
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[[2]mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Dave
Burt
Sent: Tuesday, November 01, 2016 3:42 PM
To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Subject: No Matching Cipher Suite. V7.1
The server we are testing on is at 7.1 and at least Tech Refresh 6+.
All PTFs that are supposed to allow the TLS1.2 protocols to work are
applied.
I have been using HTTPAPI and RPG to call external web services such as
leading2lean and service-now. HTTPAPI is at 1.32.
HTTPAPI documentation says it works up to TLS 1.2. (last build 2/2016)
The HTTPS protocol is only handshaking if L2L sets their server to a
very "unsecure level" below SSL2. L2L (under special request) has been
letting use do it this way for a while. But Eventually, they are going
to require at least TLS??
Service-now web service works but I don't know what protocol level they
are enforcing.
This command causes the handshake failure:
rc = http_url_post([3]url:myPointer:dataSize:ifs:HTTP_TIMEOUT:
HTTP_USERAGENT:
'application/x-www-form-urlencoded');
The error message is "SSL Handshake: (GSKit) No compatible cipher suite
available"
According to our Sys-Op and an expert at the COMMON conference, our
server should be TLS1.2 capable. He thinks it is the application
that's Not working. Our ciphers don't exactly match L2Ls by name, but
the expert told our Sys-op that doesn't matter??? It doesn't look like
we can even do SSL 2.0.
The GSKIT API includes an https_init(application_name, enabled
protocols (ssl2.0, ssl3.0,tls1.0,1.1,1.2))
ii = https_init(*blanks:*Off:*ON:
*ON: *ON: *ON);
We also tried creating an application certificate and using that in the
program. But no difference. I verified that the https_init returns
without the error code set
Our system value for QSSLCSL:
*RSA_AES_128_CBC_SHA256
*RSA_AES_128_CBC_SHA
*RSA_RC4_128_SHA
*RSA_AES_256_CBC_SHA256
*RSA_AES_256_CBC_SHA
*RSA_3DES_EDE_CBC_SHA
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_NULL_SHA256
*RSA_NULL_SHA
*RSA_NULL_MD5
*RSA_RC4_128_MD5
QSSLCSLCTL: *USRDFN
QSSLPCL:
Protocols
*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3
Ciphers L2L says will handshake are:
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
SSL 2 suites at the end)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq.
3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq.
3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq.
3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq.
3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072
bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072
bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS
256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 2048 bits FS
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS
128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 2048 bits FS
128
Thanks in advance for the help.
Dave
***************************************************************
Consider the environment before printing this message.
To read the Companies' Information and Confidentiality Notice, follow
this link:
[4]https://www.autoliv.com/Pages/disclaimer.aspx
***************************************************************
References
1. http://www.pilotpen.us/
2. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
3. url:myPointer:dataSize:ifs:HTTP_TIMEOUT
4. https://www.autoliv.com/Pages/disclaimer.aspx
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------