Extra! X-treme 9.5 - TN5250 Connection error - Status-Audit Log - TLSStartSecurity returned error 9702 SSL/TLS handshake failed

After iSeries as400 operating system upgrade from to V7R4, we get TN5250 Connection error.

Status-Audit Log shows:

TLSStartSecurity returned error 9702 SSL/TLS handshake failed.

Secure connection was requested but not granted by server nnn.nnn.nnn.nnn on port 992.

Socket failed to connect.

Last socket error =0. No error.

Connect error, socket error 126

-----------------------------------------

Our secuirty type is set to TLS v1.2 both before and after the iSeries as400 operating system upgradePDF.

Tags:

Labels:

Mainframe Access
Parents
  • We found the issue but do not know whether there is fix on Extra! X-treme software.

    The iSeries as400 telnet server joblog shows SSL/TLSv1.2 handshake fails because Extra! X-treme 9.5 client does not support available cyphers on v7r4 operating system.

    Does anyone know whether Extra! X-treme 9.6 or 9.7 support cypher suites on v7r4 operating system:

    *ECDHE_RSA_CHACHA20_POLY1305_SHA256
    *ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
    *CHACHA20_POLY1305_SHA256
    *AES_256_GCM_SHA384
    *AES_128_GCM_SHA256
    *ECDHE_RSA_AES_256_GCM_SHA384
    *ECDHE_RSA_AES_128_GCM_SHA256
    *ECDHE_ECDSA_AES_256_GCM_SHA384
    *ECDHE_ECDSA_AES_128_GCM_SHA256
    *ECDHE_RSA_AES_256_CBC_SHA384
    *ECDHE_RSA_AES_128_CBC_SHA256
    *ECDHE_ECDSA_AES_256_CBC_SHA384
    *ECDHE_ECDSA_AES_128_CBC_SHA256
    *ECDHE_RSA_3DES_EDE_CBC_SHA
    *ECDHE_RSA_RC4_128_SHA
    *ECDHE_ECDSA_3DES_EDE_CBC_SHA
    *ECDHE_ECDSA_RC4_128_SHA
    *RSA_AES_256_GCM_SHA384
    *RSA_AES_128_GCM_SHA256
    *RSA_AES_256_CBC_SHA256
    *RSA_AES_128_CBC_SHA256
    *RSA_AES_256_CBC_SHA
    *RSA_AES_128_CBC_SHA
    *RSA_3DES_EDE_CBC_SHA
    *RSA_RC4_128_SHA

    In the SSL/TLSv1.2 session negotiation, the iSeries as400 doesn’t present its digital certificate to the client until the TLS protocol and cyphers have been agreed.
    That would explain why the client doesn’t have a digital certificate from the server.

  • Verified Answer

    Hi Alvin,

    If you upgrade to Extra! 9.7 you will find many of the same ciphers from your list above including:

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

    This will likely solve your connection issue.  As far as the second question about password level 3, I don't believe the emulation software should be affected by this change.

    Regards,

    Jeff B

Reply Children
No Data