sponsored links

Collapse

Announcement

Collapse
No announcement yet.

Stuck GSKit Error 402

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stuck GSKit Error 402

    I wondered if someone knew what causes the following error:

    Code:
    20/12/2019 11:42:34:702   00000607  transport  X TCPChannel::doSSLHandshake(): Line=958: File=/build/axiscpp/src/ws-axis/c/src/transport/TCPChannel/TCPChannel.cpp:
    HTTPTransportException - SERVER_TRANSPORT_SOCKET_CONNECT_ERROR: Failed to open connection to server, the operation gsk_secure_soc_init() failed.
    GSKit Error is 402 - No compatible cipher suite available between SSL end points.
    I've gone through here https://www.ibm.com/support/pages/co...-cipher-suites and checked that there are ciphers enabled which match ones enabled in the receiving website:

    System Values:

    QSSLPCL

    Protocols
    *TLSV1.2
    *TLSV1.1

    QSSLCSL

    Sequence Cipher
    number Suite
    0
    10 *RSA_AES_256_CBC_SHA256
    20 *RSA_AES_128_CBC_SHA256
    30 *ECDHE_RSA_AES_256_GCM_SHA384
    40 *ECDHE_RSA_AES_128_GCM_SHA256

    QSSLCSLCTL

    *USRDFN

    I've checked a number of sites, but can't really see an answer to why this is happening.

    Similar code works fine with a different site which has the RSA cipher enabled

    I've attached logs and RPG code that is used to send the API request.
    Attached Files

  • #2
    Any ideas on this?

    Comment


    • #3
      You appear to understand the error sufficiently well... it is trying to establish an SSL connection, but isn't able to because it can't negotiate ciphers.

      As to why it is happening in this particular instance, I don't know. I'd suggest troubleshooting this by using the openssl command-line tool to see which protocols and ciphers it negotiates, and then enabling the same thing in your program.

      Also, be sure you're running a current version of IBM i. Older versions (7.1 and earlier) do not support current SSL standards.

      Comment


      • #4
        Thanks Scott,

        Just tried OpenSSL from QSH (installed via open source package management), the ciphers which was selected was ECDHE-RSA-AES128-GCM-SHA256 which is one that is enabled on the system variables.

        We are running v7.3 so should have all of the relevant SSL stuff in place.

        Is there a way to debug gskit enable extra logging, or invoke it manually?

        Also I noticed that when I'm setting AXISC_PROPERTY_HTTP_SSL, I am turning off everything except or TLS V1.2

        in the log it says:
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled SSLV2
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled SSLV3
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled TLSV1
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled TLSV11
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled TLSV12

        Does my call to axiscTransportSetProperty look ok?

        (also thanks for your YAJLINTO program!)

        Comment


        • #5
          Honestly, I'm no expert on the AXISC routines... I've never seen anyone use them aside from me writing an example or two. Most RPGers prefer either HTTPAPI or the SSL HTTP functions.

          Here are some things I noticed:

          1. The docs say that the SSLv2, SSLv3, etc ciphers should be set to NONE to disable them. You are setting them to 'None' instead of 'NONE'. I don't know if that matters, but worth a try to make it all caps like the docs say.

          2. You allocate memory (not sure why you don't just use a variable?) for some of the options but you never deallocate it. So this would be a memory leak -- if run enough times, you could run out of memory. (But, that doesn't explain the problems you're having.)

          You could call GSKit manually instead of doing it via AXISC if you wanted to. They are normal system APIs documented here:
          https://www.ibm.com/support/knowledg...pis/unix9a.htm

          I don't know of any way to get extra logging.

          You could try doing this with HTTPAPI and see if that works any better. (It also uses GSKit, so you might get the same error?) It is open source and free (and quite a bit easier to use than AXISC) available here:
          http://www.scottklement.com/httpapi/

          Comment


          • #6
            Thanks again,

            1) Changing to NONE worked thanks, I'm not sure how I missed that! Didn't fix my main problem tho!

            2) The allocation oddness was to try to solve the Ciphers not being turned off... I think I had been looking at it for too long, and couldn't see the wood for the trees!

            I'll give your HTTPAPI a go...

            Comment


            • #7
              Just to update,

              HTTPAPI works fine with the site

              Given that both HTTPAPI and AXISC are using GSKit it makes me think there may be an issue with the AXISC API's(or I'm using them incorrectly!)... I guess I should raise this with IBM!?

              Comment


              • #8
                Another update

                IBM got back to me and advised me to set the SNI field as they have seen this issue with AWS applications before. This immediately solved the GSKit 402 issue

                Comment

                Working...
                X