Why is my SSL handshake failing using attls?

Question & Answer

Question

Why is the SSL handshake failing with SSL rc=9?

Answer

Using AT-TLS and configured to be FIPS140 enabled, the following ATTLS debug error message is seen in syslogd daemon class output:

EZD1283I TTLS Event GRPID: 00000001 ENVID: 00000114 CONNID: 0147E064 RC: 9 Initial Handshake

The SSL rc=9 indicates:

9 Cryptographic processing error. Explanation

An error is detected by a cryptographic function. This error might also occur if key sizes that are non-FIPS are used during an SSL handshake while operating in FIPS mode. User response

If the error occurred while executing in FIPS mode, check that only FIPS key sizes are used.

The rc=9 was caused because the secure server sent a key Exchange message in it's SSL server hello with a Diffie Hellman key size less than 2048. FIPS140 mode requires Dillie Hellman key Sizes to be at least 2048 in size

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Tips

Why is my SSL handshake failing using attls?

Question & Answer

Question

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?