Question & Answer
Question
Why am I getting DFHSO0123 return code 446 x'1BE' which indicates a TLS Version Mismatch? Looking at and SSL Trace I see the following entries.
SYS01 MESSAGE 00000008 14:11:24.325434 SSL_INFO
Job CICSREGN Process 05070FB9 Thread 00000001
read_v3_server_hello
Using TLSV1.2 protocol
SYS01 MESSAGE 00000008 14:11:24.325443 SSL_INFO
Job CICSREGN Process 05070FB9 Thread 00000001
read_v3_server_hello
Using V3 cipher specification C028
SYS01 MESSAGE 00000008 14:11:24.325452 SSL_INFO
Job CICSREGN Process 05070FB9 Thread 00000001
read_v3_server_hello
Using key exchange type 5
SYS01 MESSAGE 00000004 14:11:24.325461 SSL_ERROR
Job CICSREGN Process 05070FB9 Thread 00000001
read_v3_extended_server_hello
Server returned unrequested TLS extension 10
SYS01 MESSAGE 00000004 14:11:24.325471 SSL_ERROR
Job CICSREGN Process 05070FB9 Thread 00000001
send_v3_alert
Sent SSL V3 alert 110 to
00000000000000000000FFFFA21C688B0000000000000000000000
0000000000
SYS01 MESSAGE 00000008 14:11:24.325481 SSL_INFO
Job CICSREGN Process 05070FB9 Thread 00000001
gsk_write_v3_record
Calling write routine for 7 bytes
SYS01 MESSAGE 00000008 14:11:24.325506 SSL_INFO
Job CICSREGN Process 05070FB9 Thread 00000001
gsk_write_v3_record
7 bytes written
SYS01 MESSAGE 00000004 14:11:24.325531 SSL_ERROR
Job CICSREGN Process 05070FB9 Thread 00000001
gsk_secure_socket_init
SSL V3 client handshake failed with
00000000000000000000FFFFA21C688B0000000000000000000000
0000000000
SYS01 MESSAGE 00000002 14:11:24.325541 SSL_EXIT
Job CICSREGN Process 05070FB9 Thread 00000001
gsk_secure_socket_init
Exit status 000001BE (446)
SYS01 MESSAGE 00000001 14:11:24.325706 SSL_ENTRY
Job CICSREGN Process 05070FB9 Thread 00000001
gsk_secure_socket_shutdown
Handle 5089199FF0
SYS01 MESSAGE 00000002 14:11:24.325715 SSL_EXIT
Job CICSREGN Process 05070FB9 Thread 00000001
gsk_secure_socket_shutdown
Exit status 00000005 (5)
SYS01 MESSAGE 00000001 14:11:24.325723 SSL_ENTRY
Job CICSREGN Process 05070FB9 Thread 00000001
gsk_secure_socket_close
Handle 5089199FF0
SYS01 MESSAGE 00000002 14:11:24.325737 SSL_EXIT
Job CICSREGN Process 05070FB9 Thread 00000001
gsk_secure_socket_close
Exit status 00000000 (0)
Answer
The 'Sent SSL V3 alert 110' message that you see in the SSL trace is being returned because the server you are connecting to is including a Elliptic Curves extension x'000a' in the Server_Hello that it is returning.
(And in the Trace I do see 'Server returned unrequested TLS extension 10' (the 10 is an A)).
This is in violation of RFC 4492 that describes this extension. In the RFC it does not indicate that the extension is one that is allowed in the server hello message unlike the elliptic curves point formats extension (x'000b').
There is a known problem that occurs when you are connecting to a F5 Load Balancer:
K37345003: The BIG-IP system incorrectly includes the elliptic_curves extension in the Server Hello message during a TLS handshake
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
07 August 2018
UID
dwa1463016