Extra! X-treme 9.5 - TN5250 Connection error - Status-Audit Log - TLSStartSecurity returned error 9702 SSL/TLS handshake failed

After iSeries as400 operating system upgrade from to V7R4, we get TN5250 Connection error.

Status-Audit Log shows:

TLSStartSecurity returned error 9702 SSL/TLS handshake failed.

Secure connection was requested but not granted by server nnn.nnn.nnn.nnn on port 992.

Socket failed to connect.

Last socket error =0. No error.

Connect error, socket error 126

-----------------------------------------

Our secuirty type is set to TLS v1.2 both before and after the iSeries as400 operating system upgradePDF.

Tags:

Labels:

Mainframe Access
Parents
  • We found the issue but do not know whether there is fix on Extra! X-treme software.

    The iSeries as400 telnet server joblog shows SSL/TLSv1.2 handshake fails because Extra! X-treme 9.5 client does not support available cyphers on v7r4 operating system.

    Does anyone know whether Extra! X-treme 9.6 or 9.7 support cypher suites on v7r4 operating system:

    *ECDHE_RSA_CHACHA20_POLY1305_SHA256
    *ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
    *CHACHA20_POLY1305_SHA256
    *AES_256_GCM_SHA384
    *AES_128_GCM_SHA256
    *ECDHE_RSA_AES_256_GCM_SHA384
    *ECDHE_RSA_AES_128_GCM_SHA256
    *ECDHE_ECDSA_AES_256_GCM_SHA384
    *ECDHE_ECDSA_AES_128_GCM_SHA256
    *ECDHE_RSA_AES_256_CBC_SHA384
    *ECDHE_RSA_AES_128_CBC_SHA256
    *ECDHE_ECDSA_AES_256_CBC_SHA384
    *ECDHE_ECDSA_AES_128_CBC_SHA256
    *ECDHE_RSA_3DES_EDE_CBC_SHA
    *ECDHE_RSA_RC4_128_SHA
    *ECDHE_ECDSA_3DES_EDE_CBC_SHA
    *ECDHE_ECDSA_RC4_128_SHA
    *RSA_AES_256_GCM_SHA384
    *RSA_AES_128_GCM_SHA256
    *RSA_AES_256_CBC_SHA256
    *RSA_AES_128_CBC_SHA256
    *RSA_AES_256_CBC_SHA
    *RSA_AES_128_CBC_SHA
    *RSA_3DES_EDE_CBC_SHA
    *RSA_RC4_128_SHA

    In the SSL/TLSv1.2 session negotiation, the iSeries as400 doesn’t present its digital certificate to the client until the TLS protocol and cyphers have been agreed.
    That would explain why the client doesn’t have a digital certificate from the server.

  • Verified Answer

    Hi Alvin,

    If you upgrade to Extra! 9.7 you will find many of the same ciphers from your list above including:

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

    This will likely solve your connection issue.  As far as the second question about password level 3, I don't believe the emulation software should be affected by this change.

    Regards,

    Jeff B

  • Thank you Jeff.

    We found Extra 9.6 supported the required ciphers for connection to iSeries as400 v7r4 operating system.

  • Thanks Alvin.  I had to create a new environment to confirm the ciphers in Extra! 9.6 and it looks like you got to it before me.  Thanks for the confirmation.

    Jeff B

  • Welcome.

    BTW, our vendor that hosts the iSeries as400 still claims:

    - no changes in available support on ciphers when upgrading the iSeries as400 operating system from v7r3 to v7r4

    - therefore concluding that the ciphers available had no part in the issue

    - and the TN5250 connection failure is entirely attributed to Extra! X-treme 9.5 good for v7r3 but not being supported on v7r4

    - suggesting that upgrading to Extra! X-treme 9.6 version was the resolution to this issue.

    i do realise this problem distinction is moot since we have already resolved the issue

    but the iSeries as400 vendor claims they were correct in their decision not alerting us on checking ciphers supported on third party software we use, like Extra! X-treme 9.5 is defective or not supported on v7r4 operating system.

    It would be good if you could provide us the list of ciphers supported on Extra! X-treme 9.5 for us to compare to the list you had provided on this discussion, the list of ciphers supported on Extra! X-treme 9.6 version.

    Thank you Jeff.

Reply
  • Welcome.

    BTW, our vendor that hosts the iSeries as400 still claims:

    - no changes in available support on ciphers when upgrading the iSeries as400 operating system from v7r3 to v7r4

    - therefore concluding that the ciphers available had no part in the issue

    - and the TN5250 connection failure is entirely attributed to Extra! X-treme 9.5 good for v7r3 but not being supported on v7r4

    - suggesting that upgrading to Extra! X-treme 9.6 version was the resolution to this issue.

    i do realise this problem distinction is moot since we have already resolved the issue

    but the iSeries as400 vendor claims they were correct in their decision not alerting us on checking ciphers supported on third party software we use, like Extra! X-treme 9.5 is defective or not supported on v7r4 operating system.

    It would be good if you could provide us the list of ciphers supported on Extra! X-treme 9.5 for us to compare to the list you had provided on this discussion, the list of ciphers supported on Extra! X-treme 9.6 version.

    Thank you Jeff.

Children
  • Suggested Answer

    Thanks for the further information, Alvin.  Having a look at the IBM documentation for 

    7.3 Cipher suite configuration - IBM Documentation

    Compared to 

    7.4 Cipher suite configuration - IBM Documentation

    I note that there is a difference between the "Default Cipher Suites" in the two versions:

    7.3 Docs

    The cipher suites included in the shipped eligible default cipher suite list with TCP/IP PTF group level 5 installed are as follows:

    • *AES_128_GCM_SHA256
    • *AES_256_GCM_SHA384
    • *CHACHA20_POLY1305_SHA256
    • *ECDHE_ECDSA_AES_128_GCM_SHA256
    • *ECDHE_ECDSA_AES_256_GCM_SHA384
    • *ECDHE_RSA_AES_128_GCM_SHA256
    • *ECDHE_RSA_AES_256_GCM_SHA384
    • *ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
    • *ECDHE_RSA_CHACHA20_POLY1305_SHA256
    • *RSA_AES_128_GCM_SHA256
    • *RSA_AES_256_GCM_SHA384
    • *ECDHE_ECDSA_AES_128_CBC_SHA256
    • *ECDHE_ECDSA_AES_256_CBC_SHA384
    • *ECDHE_RSA_AES_128_CBC_SHA256
    • *ECDHE_RSA_AES_256_CBC_SHA384
    • *RSA_AES_128_CBC_SHA256
    • *RSA_AES_128_CBC_SHA
    • *RSA_AES_256_CBC_SHA256
    • *RSA_AES_256_CBC_SHA

    7.4 Docs

    The cipher suites included in the shipped eligible default cipher suite list with the latest PTF CUM package installed are as follows:

    • *AES_128_GCM_SHA256
    • *AES_256_GCM_SHA384
    • *CHACHA20_POLY1305_SHA256
    • *ECDHE_ECDSA_AES_128_GCM_SHA256
    • *ECDHE_ECDSA_AES_256_GCM_SHA384
    • *ECDHE_RSA_AES_128_GCM_SHA256
    • *ECDHE_RSA_AES_256_GCM_SHA384
    • *ECDHE_ECDSA_CHACHA20_POLY1305_SHA256 
    • *ECDHE_RSA_CHACHA20_POLY1305_SHA256 

    There is a good chance that one of the highlighted ciphers above in 7.3 were acceptable in Extra! 9.5, but they are not included in the 7.4 version.  As you said, Extra! 9.6 or greater resolves this issue, but the emulation is generally not dependent on the OS version on the host except in the case of security which is always moving forward.

    Regards,

    Jeff B

  • Thank you Jeff.

    Agree with you that the emulation is generally not dependant on the  OS except in the case of security. And i don't think this is a case of security.

    Is it possible for me to get a list of ciphers supported on Extra 9.5 and 9.6 on the Microfocus website?