Question & Answer
Question
Attempts to use FTP to certain servers fail with the following messages:
EZA1701I >>> AUTH TLS
234 AUTH TLS successful
EZA2897I Authentication negotiation failed
EZA2898I Unable to successfully negotiate required authentication
EZA1735I Std Return Code = 10234, Error Code = 00017
With tracing enabled, the following message is also generated:
FCxxxx authServer: secure_socket_init failed with rc = 410 (SSL message format is incorrect)
Connections to other servers using SSL are successful.
Answer
Collecting a System SSL trace also shows the following:
Thd-0 INFO send_v3_client_hello(): Sent V3 CLIENT-HELLO message
Thd-0 INFO gsk_write_v3_record(): Calling write routine for xx bytes
Thd-0 INFO gsk_write_v3_record(): xx bytes written
Thd-0 INFO gsk_read_v3_record(): Calling read routine for 5 bytes
Thd-0 INFO gsk_read_v3_record(): 5 bytes received
Thd-0 INFO gsk_read_v3_record(): Calling read routine for xx bytes
Thd-0 INFO gsk_read_v3_record(): xx bytes received
Thd-0 INFO read_v3_server_hello(): Received SERVER-HELLO message
Thd-0 INFO read_v3_server_hello(): Creating new session for connection with aa.bb.cc.dd[21]
Thd-0 INFO read_v3_server_hello(): Session identifier ....
Thd-0 INFO read_v3_server_hello(): Using TLSV1 protocol
...
Thd-0 INFO gsk_read_v3_record(): Calling read routine for 5 bytes
Thd-0 INFO gsk_read_v3_record(): 5 bytes received
Thd-0 INFO gsk_read_v3_record(): Calling read routine for 14 bytes
Thd-0 INFO gsk_read_v3_record(): 14 bytes received
Thd-0 INFO read_v3_certificate_request(): Received CERTIFICATE-REQUEST message
Thd-0 ASCII read_v3_certificate_request(): CERTIFICATE-REQUEST message
00000000: 0d000006 03010240 0000 *.......@.. *
Thd-0 ERROR read_v3_certificate_request(): CA names omitted
Thd-0 ERROR send_v3_alert(): Sent SSL V3 alert 47 to aa.bb.cc.dd[21]
Thd-0 INFO gsk_write_v3_record(): Calling write routine for 7 bytes
Thd-0 INFO gsk_write_v3_record(): 7 bytes written
Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client handshake failed with aa.bb.cc.dd[21]
The key aspects in this exchange are that the TLSv1 protocol is being used, the server is sending a Certificate Request (request for a (possibly optional) client certificate), but there is no list of valid Certificate Authority names. The v1 protocol requires that such requests include a CA list and System SSL on z/OS strictly enforces that requirement, thus the handshake failure with the SSL Alert 47 being returned.
The solution is to either:
Contact the server system's administrator to either configure it to not request a client certificate or contact the software vendor to get an update to correct the message being sent.
OR, Update the local client to use a later TLS protocol. Higher levels of the TLS protocol no longer require the CA list on a Certificate Request message. The z/OS FTP client does not support higher protocol in 'native SSL' mode, you will need to upgrade to using an AT-TLS policy for these connections with TLSV1.1 or TLSV1.2 enabled (and TLSv1 disabled).
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
09 May 2018
UID
dwa1446857