× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



IBM has released two PTFs to resolve SSL client issues, MF60335, SI57332

http://www-01.ibm.com/support/docview.wss?uid=nas35a3400efeeb413d086257e7e007eb665
http://www-01.ibm.com/support/docview.wss?uid=nas24e5145dca463e43586257e6f003c6da7

http://www-912.ibm.com/a_dir/as4ptf.nsf/b3cb9d42f672b70f86256739004afa0f/9d8f3c581309ec3886257e7e007eb678?OpenDocument
http://www-01.ibm.com/support/docview.wss?uid=nas22105ec3f6fa1476986257e74003c6ed6

Applied to R&D, issue resolved.

Make sure you run the special instructions SST Advanced Analysis SSLCONFIG MACRO. !!!!!!
1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h
-eligibleDefaultProtocols:10,08,04 or as needed.

If your iSeries is a client, get these two PTFs installed ASAP.

Note:!!!!!!
Not only was my SSL client connection issue resolved, but other apps previously connecting at TLSv1 are now connecting at TLSv1.2 or TLSv1.1.
Also, another app previously connecting TLSv1.0 using RC4 weak cipher now connecting at TLSv1.2 with TLS_RSA_WITH_AES_128_CBC_SHA2

Good job IBM.
Quick turnaround.

Paul




-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Wednesday, July 01, 2015 11:39 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: SSL client connection error - SSL_Handshake(): Peer not recognized or badly formatted message received.

Update from IBM PMR.

After several discussions with our IBM i SSL developer, he agreed to build in an option into the SSLCONFIG Advanced Analysis (AA) Macro in System Service Tools (SST) in IBM i 7.1 OS that will allow you to change the system-wide defaults for the SSL_VERSION_CURRENT protocol value. The new option will give users the ability to log into SST and execute the SSLCONFIG AA macro to change the default value of SSL_VERSION_CURRENT from SSLV2, SSLV3, and TLSV1 to whatever protocol combination they want it to be defined as. This includes the TLSV1.1 and TLSV1.2 protocols. If your client/server application is coded to use the SSL_VERSION_CURRENT protocol value, then it will support whatever protocols are set through SSLCONFIG. NOTE: When changing the default values for SSL_VERSION_CURRENT, this will affect the entire system. You will NOT have the ability to change the SSL_VERSION_CURRENT definition for a single application. Any change to the SSL_VERSION_CURRENT definition in SST t

hrough the SSLCONFIG AA macro will be system-wide. The PTF providing this support is targeted sometime mid to late July.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Monday, June 29, 2015 10:44 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: SSL client connection error - SSL_Handshake(): Peer not recognized or badly formatted message received.

Scott,

1) How do we know if an app is using GSKit for SSL?
2) If we do have an app using GSKit for SSL, I would like the configuration info your referring to?

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: Friday, June 26, 2015 11:11 AM
To: Midrange Systems Technical Discussion
Subject: Re: SSL client connection error - SSL_Handshake(): Peer not recognized or badly formatted message received.

Since he references SSL_Handshake(), I'm assuming that he's using the SSL APIs.

But if someone does need info about how to configure the versions in GSKit, let me know, I can provide that...



On 6/26/2015 9:10 AM, Bradley Stone wrote:
Hi Paul.

What are you using to connect/communicate? Can you get the return code?

Do you know if the GSKit APIs are used or the standard SSL APIs are
being used for the connect?

I ran into an issue with a customer on V7R1 that was trying to use
V7R1 and up and the SSL APIs weren't really doing things right, so on
the SSL Handshake API we had to tell it by sending it the proper code
and that cleared things up.

Here's a link to an article I wrote about it.. it refers to GETURI but
it would also apply to any client application that uses the SSL APIs.
(the GSKit APIs may have a different setting).

http://www.fieldexit.com/forum/display?threadid=170

Brad
www.bvstools.com

On Fri, Jun 26, 2015 at 8:06 AM, Steinmetz, Paul
<PSteinmetz@xxxxxxxxxx>
wrote:

I'm receiving this error when trying to connect to a remote server.

SSL_Handshake(): Peer not recognized or badly formatted message received.

V7R1, TR10, latest CUM 15142 and all groups

I've confirmed DCM has proper CA, both root and intermediate.
Remote server has TLS1.0 disabled, TLS1.2 is currently being used for
other connections to that server.
I'm thinking this is either a SSL protocol issue or cipher issue.
I know when the I is the server, the DCM application defaults need to
be changed to allow TLS1.2 , TLS1.1 and disable SSL 3.0, SSL2.0 Also
cipher defaults need to be changed.

Are there similar settings for when the I is the client?
I've seen other posts with this error, but did not see the final
resolution.


- - - - - - - - - - - - - - - - - - - - - - - C O N N E C T I O N F E E
D B A C K -
About to connect() to XXXXXX-web.XXX.net port 443 (#0)
Trying XXX.XXX.XXX.X... connected
SSL_Handshake(): Peer not recognized or badly formatted message received.
Closing connection #0
SSL connect error
************End of Data********************


Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.