Question & Answer
Question
Why is my SSL handshake failing with message DFHSO0123 Return code 402, No common ciphers negotiated? I have created a URIMAP for an outbound connection to a Server. CICS Transaction Server for z/OS (CICS TS) is acting as the Client. My URIMAP is using the default cipher list CICS uses when ENCRYPTION=STRONG is coded within the system initialization table (DFHSIT). Those ciphers are 35, 38, 39, 2F, 32, 33, 0A, 16, 13, 15, 12.
The trace shows the handshake beginning with a client hello being sent outbound to the Server:
|> x'16' at offset x'0' is handshake
|> x'01' at offset x'5' is client hello
16030100 43010000 3F030158 3C71E3AB 0A078434 77705C38 8824A3FA 7212F35E
33A6075C 53472B01 E78FB300 001800FF 00350038 0039002F 00320033 000A0016
00130015 00120100 |
|> x'0018' at offset x'2C' is the start of the ciphers
x'0018' is the Length, the x'00FF' is a TLS indicator, followed by the actual ciphers CICS supports. These are listed as 4 byte cipher values from the 0035 up to and including the 0012.
All CICS receives in the response from the Server is 15030100020228 which ends up reported
back to CICS as no ciphers. This is indication the CICS default list of ciphers does not contain a cipher compatible with the remote Server.
Answer
The Server is using a higher level of encryption, thus does not make use of one of the default ciphers associated with ENCRYPTION=STRONG. In this instance, the problem was resolved by coding ENCRYPTION=ALL within the SIT. The handshake then worked as the Server did then have a common cipher.
Note: Ther ENCRYPTION SIT parameter has been deprecated in CICS TS 5.3. Use the MINTLSLEVEL system initialization parameter instead. ENCRYPTION=ALL is equivalent to MINTLSLEVEL=TLS11.
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
30 November 2016
UID
dwa1324292