bvstone

SSL Frequently Asked Questions (FAQ) and Return Codes for the IBM i (iSeries, System i, AS/400)

Posted:

SSL Frequently Asked Questions (FAQ) and Return Codes for the IBM i (iSeries, System i, AS/400)

Because a lot of our software uses Secure Sockets Layer (SSL/TLS) we run into many errors returned by the APIs used.  

In this article we are going to point you to our SSL FAQ page as well as list some of the most common SSL return codes, their meanings and the circumstances in which we find they occur.

The SSL Documentation can  be found here.

Please see this article on how to set your system's SSL or TLS version on your IBM i.

The following is a list of command SSL error codes and our descriptions.  Because we are moving to using the GSKit SSL functions we will also include the related GSKit error code in brackets []:

  • -1 [402] - SSL_ERROR_NO_CIPHERS - This error shouldn't happen often, but if it does it most likely is because you are on an older version of the OS and new ciphers used by the SSL certificate on the server you are connecting to are not installed on your system.  If you are on an unsupported OS version there really is nothing you can do.  If you are on a supported OS, find out which cipher is being used and check your SSL cipher list by displaying the system value (DSPSYSVAL) for QSSLCSL.  Then contact SSL support to see if a PTF is available to update the cipher list on your machine.
     
  • -2 [403] - SSL_ERROR_NO_CERTIFICATE - This error normally occurs when you are communicating with a server that requires that you use a client side certificate and one has not been provided.  This is normally done by creating an application ID in Digital Certificate Manager (DCM) and assigning the client side certificate you were supplied to this application ID.  You then specify the application ID on the client (such as GETURI) that you are using.
     
  • -10 [406] - SSL_ERROR_IO - Depending on the Error Number (errno) returned, this could mean one of many things.  If it's a permission error (3401), see the SSL FAQ section about which folders need permissions to fix this error.  If the error number is 3426 this normally means that you don't have your system set up to use TLS v1.2 ciphers.
     
  • -11 [410] or -16 [415] - SSL_ERROR_BAD_MESSAGE or SSL_ERROR_BAD_PEER - This normally occurs when you don't specify the proper port when communicating via SSL.  For example, with GETURI the default port is 80, even if you specify SSL(*YES).  So, we often see this return code when the port is not changed to 443 for SSL communications.
     
  • -13 [412] - SSL_ERROR_NOT_SUPPORTED - This normally means that the SSL Certificate used by the server is not compatible with the available cipher suites set up on your system.  This is rare unless you're on an old or unsupported OS version (maybe even V7R1).  See this article for a possible workaround.
     
  • -23 [6000] - SSL_ERROR_NOT_TRUSTED_ROOT - This normally means that the Certificate Authority(ies) (CAs) that signed the certificate on the server side are not trusted by your system.  You will need to either import the CAs into your *SYSTEM store using Digital Certificate Manager (DCM) or, if your client allows (like GETURI and MAILTOOL do), you can turn off Strict SSL and these errors will be ignored.

    Another time you'll see the -23 error will be this (and the key here is it's during SSL initialization): 

    Error during SSL initialization.  The value specified for the argument is  not correct.   RC(-23) errno(3021). 

    This normally occurs when you are using the IBM SSL APIs and working with a wildcard certificate.  The old SSL APIs do not handle Server Name Identification (SNI) well, and probably won't be updated to do so (see this article).  But, with GETURI and MAILTOOL you have the option to use the GSKit SSL APIs which should resolve this issue.

  • -24 [none] - SSL_ERROR_CERT_EXPIRED - This normally means that you have a Certificate Authority (CA) or a certificate (self-signed or signed  by a trusted authority) that has expired.  On V6R1 and up in Digital Certificate Manager (DCM) when viewing CAs or certificates there is a "Check Expiration" button you can click to view expired CAs and/or Certificates.  Even if this CA or Certificate(s) that is expired has nothing to do with your application, it can cause issues.  (Don't ask me why).  Delete the expired CA(s) and/or certificates(s) and you should be back in action.
     
  • -93 [2] - SSL_ERROR_NOT_AVAILABLE - This error usually occurs when you have not yet set up your *SYSTEM certificate Store.  Click Here for more information on performing this function.
     
  • -95 [202] - SSL_ERROR_NO_KEYRING - This error is similar to -93.  Make sure that you have created your *SYSTEM store and the default CAs were installed.

As we encounter more errors we will update this list.  As always, do feel free to contact us with any questions.


Last edited 02/05/2020 at 09:35:21



Latest Posts:

G4MS Updated to v7.10 - Required Update for All G4MS Users G4MS Updated to v7.10 - Required Update for All G4MS Users
Posted by November 12, 2020
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
MAILTOOL Errors with Microsoft Office 365 (2020) MAILTOOL Errors with Microsoft Office 365 (2020)
Posted by September 3, 2020
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Using MAILTOOL With Office 365 and Two Factor Authentication (2FA or MFA) Using MAILTOOL With Office 365 and Two Factor Authentication (2FA or MFA)
Posted by August 17, 2020
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Updating DNS With Dynamic IP Addresses After a Router Reboot/Power Outage Updating DNS With Dynamic IP Addresses After a Router Reboot/Power Outage
Posted by August 16, 2020
Programming >> Proof of Concept (POC)
GETURI v10.10 Released with New ILE Functions GETURI v10.10 Released with New ILE Functions
Posted by August 12, 2020
BVSTools >> BVSTools Announcements >> Get URI (GETURI) Specific Announcements
MAILTOOL Updated to Allow G4GSMAIL as Option in Routers File MAILTOOL Updated to Allow G4GSMAIL as Option in Routers File
Posted by June 28, 2020
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
BVSTools Now Offers Interface with Infor's ION APIs BVSTools Now Offers Interface with Infor's ION APIs
Posted by May 15, 2020
BVSTools >> BVSTools Announcements
More V7R4 IFS File CCSID Issues and The Fix More V7R4 IFS File CCSID Issues and The Fix
Posted by March 4, 2020
IBM Power Systems >> (QGPL) IBM i
Error Retrieving IP Address by Name Error Retrieving IP Address by Name
Posted by February 25, 2020
BVSTools >> BVSTools Software Discussion
Logging jobs that hit an outq Logging jobs that hit an outq
Posted by February 13, 2020
Programming >> CL Programming
GreenTools for Google Apps (G4G) v12.60 Released with Shared Drive Features and More... GreenTools for Google Apps (G4G) v12.60 Released with Shared Drive Features and More...
Posted by February 4, 2020
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Allowing Requests over Port 80 For SSL Validation (ie, Namecheap, etc) Allowing Requests over Port 80 For SSL Validation (ie, Namecheap, etc)
Posted by January 31, 2020
Programming >> Web Programming
GreenTools for Slack (G4SLK) v3.00 Released GreenTools for Slack (G4SLK) v3.00 Released
Posted by January 17, 2020
BVSTools >> BVSTools Announcements >> GreenTools for Slack (G4SLK) Specific Announcements
Calling a QSH Command from RPG Calling a QSH Command from RPG
Posted by December 26, 2019
Programming >> RPG Programming
SPLTOOL Print Range (PRTRNG) Function Updated to Handle Spooled Files up to 999,999,999 Pages SPLTOOL Print Range (PRTRNG) Function Updated to Handle Spooled Files up to 999,999,999 Pages
Posted by December 14, 2019
BVSTools >> BVSTools Announcements >> Spooled File Tools (SPLTOOL) Specific Announcements

Reply




Copyright 1983-2020 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).