Unable to establish connection over TLS 1.2 on AIX 7.1/7.2 Post: 303030903

Sponsored Content

Operating Systems AIX Unable to establish connection over TLS 1.2 on AIX 7.1/7.2 Post 303030903 by Naina2019 on Tuesday 19th of February 2019 03:10:48 AM

02-19-2019

Registered User

Thanks Gull04. I have tried the debug options provided in the link and got to know that there are no ciphers in common to establish a connection.
Also I could see only SSL_* ciphers are enabled. Can you please help me to enable TLS_* ciphers in IBM JDK8, so that it can communicate over TLS 1.2.

Here are the logs :

Code:

Using SSLEngineImpl.
Is initial handshake: true
qtp-1722886128-39, READ: TLSv1 Handshake, length = 182
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -1246685516 bytes = { 14, 70, 82, 17, 142, 160, 104, 40, 220, 61, 116, 139, 67, 63, 91, 48, 1, 149, 197, 162, 246, 61, 155, 115, 103, 215, 79, 30 }
Session ID:  {}
Cipher Suites: [Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension extended_master_secret
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA224withRSA, SHA224withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_13172, data:
Unsupported extension type_18, data:
Extension application_layer_protocol_negotiation, protocol names: [h2][spdy/3.1][http/1.1]
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {secp256r1, secp384r1}
***
ALPNJSSEExt not initialized for Server
ALPN will not be negotiatedc51426f1[SSLEngine[hostname=10.74.7.16 port=57233] SSL_NULL_WITH_NULL_NULL]
%% Initialized:  [Session-3, SSL_NULL_WITH_NULL_NULL]
qtp-1722886128-39, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-3, SSL_NULL_WITH_NULL_NULL]
qtp-1722886128-39, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
qtp-1722886128-39, WRITE: TLSv1.2 Alert, length = 2
qtp-1722886128-39, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp-1722886128-39, called closeOutbound()
qtp-1722886128-39, closeOutboundInternal()

Regards,
Naina

Naina2019

View Public Profile for Naina2019

Find all posts by Naina2019

9 More Discussions You Might Find Interesting

1. HP-UX

Xterm :Cannot establish a connection to "Server IP" on port 22

Dears, I installed HP-UX Server, when I tried to reach it through Xterm it returns the error like Xrcmd Cannot establish a connection to "Server IP" on port 22 Anyone here to tell me the reason(s) find attached xterm.jpg

2. Shell Programming and Scripting

Establish ODBC connection from Linux

Hi All, I want to establish a ODBC connection to a database from linux and query the tables of a database. Please let me know how I can achieve this. Thanks and Regards Nagaraja Akkivalli.

3. IP Networking

Unable to connect to internet on slackware 14.1 (hathway connection)

Hi, I have a wired internet connection of hathway provider. I would like to use the connection on my desktop as well as my laptop. My desktop pc has windows 7 and yesterday I installed slackware 14.1 (full installation) on my lenovo 3000 n100 laptop. Previously I had slacko puppy 5.7...

4. AIX

AIX sendmail and tls

The situation Version AIX7.1/8.14.4 Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB NIS NISPLUS PIPELINING SCANF STARTTLS USERDB USE_LDAP_INIT XDEBUG...

5. AIX

AIX LDAP client authenticate against Linux Openldap server over TLS/SSL

Hi folks, How can i configure an AIX LDAP client to authenticate against an Linux Openldap server over TLS/SSL? It works like a charm without TLS/SSL. i would like to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA....

6. Solaris

How to configure CUPS on Solaris 11.3 - TLS and no TLS?

We are implementing CUPS on a new Solaris 11.3 system. The same system will run an application where users can print to networked printers inside our organisation, or to a printer outside of our organisation over the internet. For users printing to internal network printers, no encryption is...

7. Red Hat

Connection establish two server

How do make connection between two linux server.Such as SSH,rsync,ftp

8. Red Hat

Proxy tunneling failed: ForbiddenUnable to establish SSL connection.

Tryied both ways curl and wget wget --no-check-certificate https://mysitet.it:61617 --2017-05-05 17:29:02-- https://mysitet.it:61617/ Connecting to myproxy:8080... connected. Proxy tunneling failed: ForbiddenUnable to establish SSL connection. curl https://mysite.it:61617 curl: (56)...

9. BSD

Can't establish outbound ssh connection on an OpenBSD system

I am getting the below error when I try to make outbound ssh from an OpenBSD system. I can't ssh to any host except the localhost. I can ping the hosts which I can't ssh, though.~ uname -rs OpenBSD 6.1 ~ ssh -V OpenSSH_7.5, LibreSSL 2.5.2 ~ ssh hostname ssh: connect to host hostname...

LEARN ABOUT NETBSD

ssl_cipher_get_name

SSL_CIPHER_get_name(3)						      OpenSSL						    SSL_CIPHER_get_name(3)

NAME

       SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description - get SSL_CIPHER properties

LIBRARY

       libcrypto, -lcrypto

SYNOPSIS

	#include <openssl/ssl.h>

	const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
	int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
	char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
	char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);

DESCRIPTION

       SSL_CIPHER_get_name() returns a pointer to the name of cipher. If the argument is the NULL pointer, a pointer to the constant value "NONE"
       is returned.

       SSL_CIPHER_get_bits() returns the number of secret bits used for cipher. If alg_bits is not NULL, it contains the number of bits processed
       by the chosen algorithm. If cipher is NULL, 0 is returned.

       SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol version that first defined the cipher.  This is currently
       SSLv2 or TLSv1/SSLv3.  In some cases it should possibly return "TLSv1.2" but does not; use SSL_CIPHER_description() instead.  If cipher is
       NULL, "(NONE)" is returned.

       SSL_CIPHER_description() returns a textual description of the cipher used into the buffer buf of length len provided. len must be at least
       128 bytes, otherwise a pointer to the string "Buffer too small" is returned. If buf is NULL, a buffer of 128 bytes is allocated using
       OPENSSL_malloc(). If the allocation fails, a pointer to the string "OPENSSL_malloc Error" is returned.

NOTES

       The number of bits processed can be different from the secret bits. An export cipher like e.g. EXP-RC4-MD5 has only 40 secret bits. The
       algorithm does use the full 128 bits (which would be returned for alg_bits), of which however 88bits are fixed. The search space is hence
       only 40 bits.

       The string returned by SSL_CIPHER_description() in case of success consists of cleartext information separated by one or more blanks in the
       following sequence:

       <ciphername>
	   Textual representation of the cipher name.

       <protocol version>
	   Protocol version: SSLv2, SSLv3, TLSv1.2. The TLSv1.0 ciphers are flagged with SSLv3. No new ciphers were added by TLSv1.1.

       Kx=<key exchange>
	   Key exchange method: RSA (for export ciphers as RSA(512) or RSA(1024)), DH (for export ciphers as DH(512) or DH(1024)), DH/RSA, DH/DSS,
	   Fortezza.

       Au=<authentication>
	   Authentication method: RSA, DSS, DH, None. None is the representation of anonymous ciphers.

       Enc=<symmetric encryption method>
	   Encryption method with number of secret bits: DES(40), DES(56), 3DES(168), RC4(40), RC4(56), RC4(64), RC4(128), RC2(40), RC2(56),
	   RC2(128), IDEA(128), Fortezza, None.

       Mac=<message authentication code>
	   Message digest: MD5, SHA1.

       <export flag>
	   If the cipher is flagged exportable with respect to old US crypto regulations, the word "export" is printed.

EXAMPLES

       Some examples for the output of SSL_CIPHER_description():

	EDH-RSA-DES-CBC3-SHA	SSLv3 Kx=DH	  Au=RSA  Enc=3DES(168) Mac=SHA1
	EDH-DSS-DES-CBC3-SHA	SSLv3 Kx=DH	  Au=DSS  Enc=3DES(168) Mac=SHA1
	RC4-MD5 		SSLv3 Kx=RSA	  Au=RSA  Enc=RC4(128)	Mac=MD5
	EXP-RC4-MD5		SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)	Mac=MD5  export

       A comp[lete list can be retrieved by invoking the following command:

	openssl ciphers -v ALL

BUGS

       If SSL_CIPHER_description() is called with cipher being NULL, the library crashes.

       If SSL_CIPHER_description() cannot handle a built-in cipher, the according description of the cipher property is unknown. This case should
       not occur.

RETURN VALUES

       See DESCRIPTION

SEE ALSO

       ssl(3), SSL_get_current_cipher(3), SSL_get_ciphers(3), openssl_ciphers(1)

1.0.1i								    2014-08-10						    SSL_CIPHER_get_name(3)