[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ftpapi] just upgraded os from 7.3 to 7.4, sporadic "Peer not recognized or badly formatted message received"



On Scott's last note, I have seen this error when the wrong port is used (ie, 80 vs 443).

Other than that, it's usually caused by ciphers used/requested by the server.  If they use outdated ciphers and they're not in the IBM i's cipher list (because they are obsolete) then you would need to find out which ones are used and manually enter them.

On the other hand, if you're behind on PTFs (or on V7R1 or later...) they may be using a cipher you don't have on your system.

It is VERY important to stay up on versions of software, OS versions and PTFs when working with applications that deal with TLS/SSL.  I see these types of things daily from my customers with GETURI and MAILTOOL.  As Scott mentioned HTTPAPI is simply reporting an error from the system.  

It may very well require a call to IBM support as well to get more help.  Normally they can run traces and see what's wrong.



On Tue, Sep 8, 2020 at 3:43 PM Scott Klement <sk@xxxxxxxxxxxxxxxx> wrote:

Hello,

You can do HTTP_setDebugLevel(2) to get more detail, et al.

I don't think that'll be very helpful in this particular situation, however.  What's happening is that HTTPAPI is calling the IBM i routine named gsk_secure_soc_init().  This routine is what negotiates the TLS/SSL parameters with the remote HTTP server.  This is often referred to as "SSL handshaking".

The gsk_secure_soc_init() API is returning error code GSK_ERROR_BAD_PEER.  You can read more about the API and its error codes here:
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/apis/gsk_secure_soc_init.htm

I don't see how adding timestamps or including more information about HTTPAPI's internals would be helpful considering that we know the error is occuring wthin an IBM API, and not inside HTTPAPI itself.  The error message is already telling you everything it knows:  The remote server sent a message that it cannot recognize.  It's basically one of three things:

1) Your system doesn't have the particular set of TLS/SSL parameters needed available.  (i.e. you aren't allowing the particular SSL version, ciphers, etc, that it wants to use.)

2) Something is causing the data to be corrupted / formatted wrong.

3) The remote server is not trying to speak TLS or SSL, but you are.



On 9/8/2020 2:46 PM, Gerald Magnuson wrote:

I am being asked about providing a deeper level of logging.

 

I only know about http_debug(*on : ‘filename.txt’);

 

Is there something that will output timestamps and more detail?

 

 

 


--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi
-- 
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi