× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. LINUX5250
  3. May 2002

Re: re: tn5250 connect problems

I can replicate the problem using this (openssl-0.9.6d) :

[root@localhost src]# openssl s_client -connect example.com:50855
-cipher RC4-MD5 -showcerts
CONNECTED(00000003)
depth=0 /C=US/O=FOO/CN=example
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/O=FOO/CN=example
verify return:1
1439:error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac
decode:s3_pkt.c:383:
[root@localhost src]#

Yet,  I can establish an SSL connection using this method:

[root@localhost src]# openssl s_client -connect example.com:50855 -ssl3
CONNECTED(00000003)
depth=0 /C=US/O=FOO/CN=example
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/O=FOO/CN=example
verify return:1
---
Certificate chain
 0 s:/C=US/O=FOO/CN=example
   i:/C=US/O=FOO/CN=example
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB0zCCATygAwIBAgIIheRecYs+IDMwDQYJKoZIhvcNAQEEBQAwLDELMAkGA1UE
BhMCVVMxDDAKBgNVBxxxxxhNQTEPMA0GA1UEAxMGaG1hcGFzMB4XDTAxMTEwNDE2
MTMwOVoXDTA2MTAxMDE2MTMwOVowLDELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0hN
QTEPMA0GA1UEAxMGaG1hcGFzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS
yE3o56s0uCgy5IH8I1ZOFnelc6RQ+eix86y3oAYBS+X4qF60cXpqIijKhyTnIbnT
m/cNm8bAI0Gzkx3eoIzRCnb9VuAPjBlekmRxD9ixRnrmccvB8DZ6nYzp1+nw70JS
Hv9tBtFkRhDiB+VFzfyA6UXgBVgeaAaZpYVrxgQnLQIDAQABMA0GCSqGSIb3DQEB
BAUAA4GBAINhuFJcR5TgrgZcNVlfZh9VJTjCS/nGz2YTQa5sOJMHrEFHgxMsgwbQ
CIQDRubfIGNeIxWwXiPay84R9P+txtcZBgOxna6CHHFwSEWG5ujOCuRCjAXtfEhb
qL0Vfi6auCmIHXitDCyopprb+UYXZyr4ZlUNuDtPrWUJ3uc8Bh7s
-----END CERTIFICATE-----
subject=/C=US/O=FOO/CN=example
issuer=/C=US/O=FOO/CN=example
---
No client certificate CA names sent
---
SSL handshake has read 641 bytes and written 292 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-MD5
    Session-ID:
DF657A7A1EF7B0A002CED7D431AA13E0E6733D48A19412F7D081DBB66CD5291F
    Session-ID-ctx:
    Master-Key:
B385A01C35CFAEEC8BCB2A1BB427DDF65651045A5A348A1FD2BC672C2A471257
80674B2F4E4C9BD45BF01684F4E2D1C2
    Key-Arg   : None
    Start Time: 1022278226
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---


....


Then I am inside the connection stream...
Looking at the above, one would think that if I use -cipher RC4-MD5 option
to openssl instead of -ssl3, it might work. It does not.  Next step is
wandering through openssl source to identify the problem.

If anyone has any thoughts about this, its greatly appreciated.

-brian





On Fri, 24 May 2002, Scott Klement wrote:

>
> What this message means is that it can't decrypt a record (and
> thats an SSL record, not a 5250 record) that was sent to it.
>
> Your config file looks okay to me, I don't think this is a config
> issue.
>
> We're using OpenSSL (http://www.openssl.org) for the SSL routines,
> so we don't do any of the encryption/decryption ourselves, we let
> OpenSSL do it.  I tried searching the OpenSSL mailing lists, and
> there are other people who have had this type of problem, but I can't
> find a resolution.  (tho, the search software for those lists isn't the
> greatest)
>
> The only thing I can think of is trying to update to a newer version
> of OpenSSL, and see if that will solve the problem.   Unfortunately,
> I can't reproduce the problem locally (SSL works perfectly for me) so
> I'd need your help to try things out.
>
> Are you willing to help?
>
>
> On Fri, 24 May 2002, BjM wrote:
> >
> > I'm attempting to connect tn5250 over SSL to a known IP:port.  I've been
> > using IBM SafeWay Host-on-Demand Java 5250 client previously.  Here is
> > the trace line in question, any suggestions?:
> >
> > 4293384889:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption
> > failed or bad record mac:.\ssl\s3_pkt.c:450:
> > sslstream: SSL_connect() failed, errnum=0
> >
> > Here is my setup tn5250rc:
> >
> > map=37
> > font_80=Terminal
> > example1 {
> >   env.TERM=IBM-3477-FC
> >   env.DEVNAME=EXMP123
> >   +ssl_verify_server
> >   trace=foo.txt
> >   host=ssl:example.com:50855
> > }
> >
>
> _______________________________________________
> This is the Linux 5250 Development Project (LINUX5250) mailing list
> To post a message email: LINUX5250@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/linux5250
> or email: LINUX5250-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/linux5250.
>
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.