ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

Stuck GSKit Error 402

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stuck GSKit Error 402

    I wondered if someone knew what causes the following error:

    Code:
    20/12/2019 11:42:34:702   00000607  transport  X TCPChannel::doSSLHandshake(): Line=958: File=/build/axiscpp/src/ws-axis/c/src/transport/TCPChannel/TCPChannel.cpp:
    HTTPTransportException - SERVER_TRANSPORT_SOCKET_CONNECT_ERROR: Failed to open connection to server, the operation gsk_secure_soc_init() failed.
    GSKit Error is 402 - No compatible cipher suite available between SSL end points.
    I've gone through here https://www.ibm.com/support/pages/co...-cipher-suites and checked that there are ciphers enabled which match ones enabled in the receiving website:

    System Values:

    QSSLPCL

    Protocols
    *TLSV1.2
    *TLSV1.1

    QSSLCSL

    Sequence Cipher
    number Suite
    0
    10 *RSA_AES_256_CBC_SHA256
    20 *RSA_AES_128_CBC_SHA256
    30 *ECDHE_RSA_AES_256_GCM_SHA384
    40 *ECDHE_RSA_AES_128_GCM_SHA256

    QSSLCSLCTL

    *USRDFN

    I've checked a number of sites, but can't really see an answer to why this is happening.

    Similar code works fine with a different site which has the RSA cipher enabled

    I've attached logs and RPG code that is used to send the API request.
    Attached Files

  • #2
    Any ideas on this?

    Comment


    • #3
      You appear to understand the error sufficiently well... it is trying to establish an SSL connection, but isn't able to because it can't negotiate ciphers.

      As to why it is happening in this particular instance, I don't know. I'd suggest troubleshooting this by using the openssl command-line tool to see which protocols and ciphers it negotiates, and then enabling the same thing in your program.

      Also, be sure you're running a current version of IBM i. Older versions (7.1 and earlier) do not support current SSL standards.

      Comment


      • #4
        Thanks Scott,

        Just tried OpenSSL from QSH (installed via open source package management), the ciphers which was selected was ECDHE-RSA-AES128-GCM-SHA256 which is one that is enabled on the system variables.

        We are running v7.3 so should have all of the relevant SSL stuff in place.

        Is there a way to debug gskit enable extra logging, or invoke it manually?

        Also I noticed that when I'm setting AXISC_PROPERTY_HTTP_SSL, I am turning off everything except or TLS V1.2

        in the log it says:
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled SSLV2
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled SSLV3
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled TLSV1
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled TLSV11
        20/12/2019 11:42:34:184 00000607 transport D TCPChannel::createGSKitEnvironment(): Enabled TLSV12

        Does my call to axiscTransportSetProperty look ok?

        (also thanks for your YAJLINTO program!)

        Comment


        • #5
          Honestly, I'm no expert on the AXISC routines... I've never seen anyone use them aside from me writing an example or two. Most RPGers prefer either HTTPAPI or the SSL HTTP functions.

          Here are some things I noticed:

          1. The docs say that the SSLv2, SSLv3, etc ciphers should be set to NONE to disable them. You are setting them to 'None' instead of 'NONE'. I don't know if that matters, but worth a try to make it all caps like the docs say.

          2. You allocate memory (not sure why you don't just use a variable?) for some of the options but you never deallocate it. So this would be a memory leak -- if run enough times, you could run out of memory. (But, that doesn't explain the problems you're having.)

          You could call GSKit manually instead of doing it via AXISC if you wanted to. They are normal system APIs documented here:


          I don't know of any way to get extra logging.

          You could try doing this with HTTPAPI and see if that works any better. (It also uses GSKit, so you might get the same error?) It is open source and free (and quite a bit easier to use than AXISC) available here:

          Comment


          • #6
            Thanks again,

            1) Changing to NONE worked thanks, I'm not sure how I missed that! Didn't fix my main problem tho!

            2) The allocation oddness was to try to solve the Ciphers not being turned off... I think I had been looking at it for too long, and couldn't see the wood for the trees!

            I'll give your HTTPAPI a go...

            Comment


            • #7
              Just to update,

              HTTPAPI works fine with the site

              Given that both HTTPAPI and AXISC are using GSKit it makes me think there may be an issue with the AXISC API's(or I'm using them incorrectly!)... I guess I should raise this with IBM!?

              Comment


              • #8
                Another update

                IBM got back to me and advised me to set the SNI field as they have seen this issue with AWS applications before. This immediately solved the GSKit 402 issue

                Comment


                • #9
                  Hi there!
                  I am struggling with similar case and just read "SNI" field solved the issue.
                  How (which syntax) does this follow? Is this just same the the uri? or server only? with https:// before or not.
                  I am asking because i tried several combinations and still not overcome the issue.
                  Whereby my approach is to totally ignore SSL issue, as the certificate in charge needs to be installed to be accepted, which i would llike to avoid.

                  Thank you in advance
                  Andi

                  Comment


                  • #10
                    Originally posted by agoering View Post
                    How (which syntax) does this follow? Is this just same the the uri? or server only? with https:// before or not.
                    It is only the host name (not the URI.)

                    Originally posted by agoering View Post
                    I am asking because i tried several combinations and still not overcome the issue.
                    Whereby my approach is to totally ignore SSL issue, as the certificate in charge needs to be installed to be accepted, which i would llike to avoid.
                    I don't understand what you are asking, here.

                    This problem occurs when the HTTP server is using virtual hosts. (A single IP address hosting many different host names.) When this happens, there is a separate SSL certificate for each host, but it has no way to know which one to send back because SSL must be established before the HTTP communication can begin, and therefore it can't use the host for the HTTP conversation. SNI allows the SSL protocol to send the hostname (instead of just the IP address) so that it can determine which hostname to send the certificate for.

                    This has nothing to do with installing certificates on the client side.

                    Comment


                    • #11
                      Use something like this when setting the AXIS SSL Properites:

                      Code:
                      V001   DCL-C C_CERTSTORE CONST('/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB');
                      V001   DCL-S NULLSTR         CHAR(1) inz(X'00');
                      V001   DCL-C C_NONE CONST('NONE');
                      V001   DCL-S None CHAR(5);
                      V001
                      V001   DCL-C C_BLANK CONST('');
                      V001   DCL-S Blank CHAR(2);
                      V001
                      V001   DCL-C C_TRUE CONST('true');
                      V001   DCL-S True CHAR(5);
                      V001   DOMAIN = 'www.google.com'
                      V001   Blank = C_BLANK + NULLSTR;
                      V001   None = C_NONE + NULLSTR;
                      V001   True = C_TRUE + NULLSTR;
                      V001   SNI = %trim(DOMAIN) + NULLSTR;
                      
                      V001   rxCode = axiscTransportSetProperty(tHandle:
                      V001                                  AXISC_PROPERTY_HTTP_SSL:
                      V001                                  %ADDR(CertStore):            // cert store
                      V001                                  %ADDR(Blank) :               // store pwd
                      V001                                  %ADDR(Blank) :               // cert label
                      V001                                  %ADDR(None)  :               // SSL V2
                      V001                                  %ADDR(None)  :               // SSL V3
                      V001                                  %ADDR(None)  :               // TLS V1
                      V001                                  %ADDR(None)  :               // TLS V1.1
                      V001                                  %ADDR(Blank) :               // TLS V1.2
                      V001                                  %ADDR(True)  :               // Tolerate soft warnings
                      V001                                  %ADDR(Blank) :               // App ID
                      V001                                  %ADDR(SNI)   :               // SNI
                      V001                                  *NULL);

                      Comment


                      • #12
                        thank you guys for the prompt answers!
                        I am now step forward. but get an error 400 from the server "Your browser sent a request that this server could not understand."
                        When i do the same with SQL HTTP function it works quite well.
                        Any idea where this could come from?
                        At server side the admins dont see any helpful errors, they told me...
                        Thank you!
                        Andi

                        Comment


                        • #13
                          ooh what i hate that Null-stuff....
                          Actually i had not provide a null at end of URI now it works fine!
                          Again, thank you for your help.

                          Andi

                          Comment

                          Working...
                          X