|
Correction, axiscpp.conf was for an old app that we retired, not using the file any longer.
I still need the information for what has to change when using SSL API, need to connect at TLSV1.2
-----Original Message-----
From: Steinmetz, Paul
Sent: Friday, June 26, 2015 11:54 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: SSL client connection error - SSL_Handshake(): Peer not recognized or badly formatted message received.
I think I need to change the axiscpp.conf configuration file properties, but not sure of the specific values.
Table 5. List of axiscpp.conf configuration file properties (continued)
Property Description
SecureInfo
Used to define SSL information that is to be used by all Web service clients (i.e. you are not setting the SSL information programmatically). The property value contains comma-delimited strings as follows (should be all one line):
SecureInfo:
keyRingFile
,
keyRingPasswordOrStash
,
keyRingLabel
,
v2CipherSpec
,
v3CipherSpec
,
tlsCipherSpec
where:
keyRingFile
Full path and filename to the certificate store file to be used for the secure session or SSL environment.
keyRingPassword
The password for the certificate store file to be used for the secure session or SSL environment.
keyRingLabel
The certificate label associated with the certificate in the certificate store to be used for the secure session or SSL environment.
v2CipherSpec
The list of SSL Version 2 ciphers to be used for the secure session or the SSL environment. Specifying NONE for this field will disable SSL Version 2 ciphers.
Valid values:
01
,
02
,
03
,
04
,
06
or
07
.
v3CipherSpec
The list of SSL Version 3/TLS Version 1 ciphers to be used for the secure session or the SSL environment. Specifying NONE for this field will disable SSL Version 3 ciphers. Valid values:
00
,
01
,
02
,
03
,
04
,
05
,
06
,
09
,
35
,
0A
,
2F
,or
35
.
tlsCipherSpec
Whether to enable or disable TLS Version 1 ciphers. A value of NONE will disable the ciphers; any other value will enable the ciphers. By default, the TLS Version
1 ciphers are enabled.
For example:
SecureInfo:/sslkeys/myKeyRing.kdb,axis4all,AXIS,NONE,05,NONE
To set the security information programmatically, see the programming considerations chapter for the programming language you are interested in
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Friday, June 26, 2015 11:33 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: SSL client connection error - SSL_Handshake(): Peer not recognized or badly formatted message received.
Brad
<What are you using to connect/communicate? >
RXS client RXSURI URI('https://xxxxxx-xxx.xxx.net/')
<Can you get the return code?>
Message ID . . . . . . : RXE9991 Severity . . . . . . . : 30
Message type . . . . . : Diagnostic
Date sent . . . . . . : 06/26/15 Time sent . . . . . . : 11:16:39
Message . . . . : Error 35 in CURL_TransmitSSL connect error:
Details . . . . : Error code 35 was returned from program/procedure
CURL_TransmitSSL connect error. The text for the error was ''
Message ID . . . . . . : RXE0050 Severity . . . . . . . : 30
Message type . . . . . : Diagnostic
Date sent . . . . . . : 06/26/15 Time sent . . . . . . : 11:16:39
Message . . . . : Error in RXSURI processing - see job log for details.
Details . . . . : An error occurred during RXSURI processing. Display the
job log for more details.
<Do you know if the GSKit APIs are used or the standard SSL APIs are being used for the connect?>
I'm not sure, but I think this works as an RPG client, which uses Env Var - AXISCPP_DEPLOY '/SSLCERTS/SSLRPGCLIENT'
Browse : /SSLCERTS/SSLRPGCLIENT/etc/axiscpp.conf
Record : 1 of 10 by 18 Column : 1 82 by 131
Control :
....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8....+..
************Beginning of data**************
# The comment character is '#'
# Available directives are as follows
#
# ClientWSDDFilePath: The path to the client WSDD
# SecureInfo: The GSKit security information
#
Channel_HTTP_SSL:/QIBM/ProdData/OS/WebServices/V1/client/lib/libhttp_channelssl.so
SecureInfo:/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB, , ,NONE,05,NONE,false
#
#ClientLogPath:/tmp/axis.log
************End of Data********************
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Friday, June 26, 2015 10:10 AM
To: Midrange Systems Technical Discussion
Subject: Re: SSL client connection error - SSL_Handshake(): Peer not recognized or badly formatted message received.
Hi Paul.
What are you using to connect/communicate? Can you get the return code?
Do you know if the GSKit APIs are used or the standard SSL APIs are being used for the connect?
I ran into an issue with a customer on V7R1 that was trying to use V7R1 and up and the SSL APIs weren't really doing things right, so on the SSL Handshake API we had to tell it by sending it the proper code and that cleared things up.
Here's a link to an article I wrote about it.. it refers to GETURI but it would also apply to any client application that uses the SSL APIs. (the GSKit APIs may have a different setting).
http://www.fieldexit.com/forum/display?threadid=170
Brad
www.bvstools.com
On Fri, Jun 26, 2015 at 8:06 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
wrote:
I'm receiving this error when trying to connect to a remote server.--
SSL_Handshake(): Peer not recognized or badly formatted message received.
V7R1, TR10, latest CUM 15142 and all groups
I've confirmed DCM has proper CA, both root and intermediate.
Remote server has TLS1.0 disabled, TLS1.2 is currently being used for
other connections to that server.
I'm thinking this is either a SSL protocol issue or cipher issue.
I know when the I is the server, the DCM application defaults need to
be changed to allow TLS1.2 , TLS1.1 and disable SSL 3.0, SSL2.0 Also
cipher defaults need to be changed.
Are there similar settings for when the I is the client?
I've seen other posts with this error, but did not see the final
resolution.
- - - - - - - - - - - - - - - - - - - - - - - C O N N E C T I O N F E E
D B A C K -
About to connect() to XXXXXX-web.XXX.net port 443 (#0)
Trying XXX.XXX.XXX.X... connected
SSL_Handshake(): Peer not recognized or badly formatted message received.
Closing connection #0
SSL connect error
************End of Data********************
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx
http://www.pencor.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.