[AIX Solaris HP-UX Linux Windows][z/OS]

Handshake messages

This topic contains error messages that might result due to SSL handshake failures and provides solutions to help you troubleshoot these problems.

The following messages display due to handshake failures:

  • Message: SSL0192W: IBM® HTTP Server is configured to permit client renegotiation which is vulnerable to man-in-the-middle attacks <servername:port>
    • Reason: IBM HTTP Server is configured to allow client handshake renegotiation using the SSLInsecureRenegotiation directive. This configuration is vulnerable to man-in-the middle attacks. Use this configuration only if it is necessary for your client and be aware of the risk. For more information about the exposure, refer to the public documentation about CVE-2009-3555.
    • Solution: Remove the SSLInsecureRenegotiation directive or set the directive to OFF to avoid the vulnerability. If proprietary clients require SSL renegotiation to function, update these clients to establish new connections.
  • Message: SSL0193W: Error setting GSK_NO_RENEGOTIATION to <GSK_TRUE | GSK_FALSE> <errorcode>
    • Reason: An error occurred when the server attempted to disable client renegotiation. This setting is the default value. However, this value is also set if you specify the SSLInsecureRenegotiation directive with an OFF value.
    • Solution: Report this problem to IBM Support.
  • Message: SSL0196I: Security library does not support GSK_SESSION_RESET_CALLBACK, rejecting insecure SSL client renegotiation by monitoring SIDs
    • Reason: When the server attempted to disable client renegotiation, it was determined that the security library on this system does not support GSK_SESSION_RESET_CALLBACK. It will be configured to reject insecure SSL client renegotiation using an alternate mechanism of monitoring SIDs.
    • Solution: This informational message does not indicate a failure, but it reports a configuration condition. An action is not necessary. You can upgrade to a newer z/OS® security library that includes support for GSK_SESSION_RESET_CALLBACK or for disabling SSL client renegotiation.
  • Message: SSL0197I: Configured security library to reject insecure SSL client renegotiation.
    • Reason: The security library has been successfully configured to reject client renegotiation.
    • Solution: This informational message does not indicate a failure, but it reports a particular configuration setting. An action is not necessary.
  • Message: SSL0198I: System is running without a security library capable of directly rejecting insecure SSL client renegotiation. Aborting HTTPS requests that span SSL sessions
    • Reason: While the server attempted to disable client renegotiation, it was determined that the security library on this system does not support directly rejecting SSL client renegotiation. It will be configured to use an alternate callback mechanism.
    • Solution: This informational message does not indicate a failure, but it reports a configuration condition. An action is not necessary. For z/OS systems, upgrade to a newer security library that includes support for GSK_SESSION_RESET_CALLBACK or for disabling SSL client renegotiation. For distributed systems, upgrade to GSKit Version 7.0.4.27 or later.
  • Message: SSL0200E: Handshake Failed, <code>.
    • Reason: The handshake failed when the SSL library returned an unknown error.
    • Solution: Report this problem to IBM Support.
  • Message: SSL0201E: Handshake Failed, Internal error - Bad handle.
    • Reason: An internal error has occurred.
    • Solution: Report this problem to IBM Support.
  • Message: SSL0202E: Handshake Failed, The GSK library unloaded.
    • Reason: A call to the GSKit function failed because the dynamic link library unloaded (Windows operating systems only).
    • Solution: Shut down the server and restart.
  • Message: SSL0203E: Handshake Failed, GSK internal error.
    • Reason: The communication between client and the server failed due to an error in the GSKit library.
    • Solution: Retry connection from the client. If the error continues, report the problem to IBM Support.
  • Message: SSL0204E: Handshake Failed, Internal memory allocation failure.
    • Reason: The server could not allocate memory needed to complete the operation.
    • Solution: Take action to free up some additional memory. Try reducing the number of threads or processes running, or increasing virtual memory.
  • Message: SSL0205E: Handshake Failed, GSK handle is in an invalid state for operation.
    • Reason: The SSL state for the connection is invalid.
    • Solution: Retry connection from the client. If the error continues, report the problem to IBM Support.
  • Message: SSL0206E: Handshake Failed, Key-file label not found
    • Reason: The label specified for the SSLServerCert directive was not found in the key database (KDB) file specified for the KeyFile directive.
    • Solution: Specify a value for the SSLServerCert directive that corresponds to a personal certificate available in the KDB file specified for the KeyFile directive
  • Message: SSL0207E: Handshake Failed, Certificate is not available.
    • Reason: The client did not send a certificate.
    • Solution: Set client authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending an acceptable certificate.
  • Message: SSL0208E: Handshake Failed, Certificate validation error.
    • Reason: The received certificate failed one of the validation checks.
    • Solution: Use another certificate. Contact IBM Support to determine why the certificate failed validation.
  • Message: SSL0209E: Handshake Failed, ERROR processing cryptography.
    • Reason: A cryptography error occurred.
    • Solution: None. If the problem continues, report it to IBM Support.
  • Message: SSL0210E: Handshake Failed, ERROR validating ASN fields in certificate.
    • Reason: The server was not able to validate one of the ASN fields in the certificate.
    • Solution: Try another certificate.
  • Message: SSL0211E: Handshake Failed, ERROR connecting to LDAP server.
    • Reason: The Web server failed to connect to the CRL LDAP server.
    • Solution: Verify that the values entered for the SSLCRLHostname and SSLCRLPort directives are correct. If access to the CRL LDAP server requires authentication, is the SSLCRLUserID directive coded and was the password added to the stash file pointed to by the SSLStashfile directive.
  • Message: SSL0212E: Handshake Failed, Internal unknown error.
    • Reason: An unknown error has occurred in the SSL library.
    • Solution: Report the problem to IBM Support.
  • Message: SSL0213E: Handshake Failed, Open failed due to cipher error.
    • Reason: An unknown error has occurred in the SSL library.
    • Solution: Report the problem to IBM Support.
  • Message: SSL0214E: Handshake Failed, I/O error reading key file.
    • Reason: The server could not read the key database file.
    • Solution: Check file access permissions and verify the Web server user ID is allowed access.
  • Message: SSL0215E: Handshake Failed, Key file has an invalid internal format. Recreate key file.
    • Reason: Key file has an invalid format.
    • Solution: Recreate key file.
  • Message: SSL0216E: Handshake Failed, Key file has two entries with the same key. Use IKEYMAN to remove the duplicate key.
    • Reason: Two identical keys exist in key file.
    • Solution: Use IKEYMAN to remove duplicate key.
  • Message: SSL0217E: Handshake Failed, Key file has two entries with the same label. Use IKEYMAN to remove the duplicate label.
    • Reason: A second certificate with the same label was placed in the key database file.
    • Solution: Use IKEYMAN to remove duplicate label.
  • Message: SSL0218E: Handshake failed, Either the key file has become corrupted or the password is incorrect.
    • Reason: The key file password is used as an integrity check and the test failed. Either the key database file is corrupted, or the password is incorrect.
    • Solution: Use IKEYMAN to stash the key database file password again. If that fails, recreate the key database.
  • Message: SSL0219E: SSL Handshake Failed, Either the default key in the keyfile has an expired certificate or the keyfile password expired. Use iKeyman to renew or remove certificates that are expired or to set a new keyfile password.
    • Reason: Either the default key in the keyfile has an expired certificate or the keyfile password expired.
    • Solution: Use iKeyman to renew or remove certificates that are expired or to set a new keyfile password.
  • Message: SSL0220E: Handshake Failed, There was an error loading one of the GSKdynamic link libraries. Be sure GSK was installed correctly.
    • Reason: Opening the SSL environment resulted in an error because one of the GSKdynamic link libraries could not load.
    • Solution: Contact Support to make sure the GSKit is installed correctly.
  • Message: SSL0221E: Handshake Failed, Either the certificate has expired or the system clock is incorrect.
    • Reason: Either the certificate expired or the system clock is incorrect.
    • Solution: Use the key management utility (iKeyman) to recreate or renew your server certificate or change the system date to a valid date.
  • Message: SSL0222W: Handshake failed, no ciphers specified.
    • Reason: SSLV2 and SSLV3 are disabled.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0223E: Handshake Failed, No certificate.
    • Reason: The client did not send a certificate.

      You can also see this message when your keyfile does not have a default certificate specified and you have not specified an SSLServerCert directive. It will pass initialization but fail at connection (handshake) time.

    • Solution: Set client authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending a certificate.
  • Message: SSL0224E: Handshake failed, Invalid or improperly formatted certificate.
    • Reason: The client did not specify a valid certificate.
    • Solution: Client problem.
  • Message: SSL0225E: Handshake Failed, Unsupported certificate type.
    • Reason: The certificate type received from the client is not supported by this version of IBM HTTP Server SSL.
    • Solution: The client must use a different certificate type.
  • Message: SSL0226I: Handshake Failed, I/O error during handshake.
    • Reason: The communication between the client and the server failed. This is a common error when the client closes the connection before the handshake has completed.
    • Solution: Retry the connection from the client.
  • Message: SSL0227E: Handshake Failed, Specified label could not be found in the key file.
    • Reason: Specified key label is not present in key file.
    • Solution: Check that the SSLServerCert directive is correct, if coded, and that the label is valid for one of the keys in the key database.
  • Message: SSL0228E: Handshake Failed, Invalid password for key file.
    • Reason: The password retrieved from the stash file could not open the key database file.
    • Solution: Use IKEYMAN to open the key database file and recreate the password stash file. This problem can also result from a corrupted key database file. Creating a new key database file may resolve the problem.
  • Message: SSL0229E: Handshake Failed, Invalid key length for export.
    • Reason: In a restricted cryptography environment, the key size is too long to be supported.
    • Solution: Select a certificate with a shorter key.
  • Message: SSL0230I: Handshake Failed, An incorrectly formatted SSL message was received.
  • Message: SSL0231W: Handshake Failed, Could not verify MAC.
    • Reason: The communication between the client and the server failed.
    • Solution: Retry the connection from the client.
  • Message: SSL0232W: Handshake Failed, Unsupported SSL protocol or unsupported certificate type.
    • Reason: The communication between the client and the server failed because the client is trying to use a protocol or certificate which the IBM HTTP Server does not support.
    • Solution: Retry the connection from the client using an SSL Version 2 or 3, or TLS 1 protocol. Try another certificate.
  • Message: SSL0233W: Handshake Failed, Invalid certificate signature.
  • Message: SSL0234W: Handshake Failed, The certificate sent by the peer expired or is invalid.
    • Reason: The partner did not specify a valid certificate. The server is acting as a reverse proxy to an SSL URL and the _server_ cert could not be validated.

      [Updated in August 2016]Either the local certificate or the peer certificate is not valid. For a certificate to be valid, the complete certificate chain must be present in the key database file, the System Authorization Facility (SAF) key ring, or the Public Key Cryptography Standards (PKCS) #11 token.[Updated in August 2016]

    • Solution: Partner problem. If this occurs during an SSL Proxy connection, the remote SSL server sent a bad certificate to IBM HTTP Server. Check the certificate and certificate authority chain at the other end of the SSL connection. For more information, see Securing with SSL communications.

      [Updated in August 2016]Verify that the certificate in the certificate chain is marked trusted. Ensure that the communication partner sends a valid certificate. If you use RACF® key rings and the DIGTCERT and DIGTRING classes are listed in the RACLIST operand, issue the SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH command. This command refreshes the profiles to ensure that the latest changes are available. If the error persists, see the problem determination information on the following WebSphere® Application Server Support web page: http://www.ibm.com/software/webservers/appserv/was/support.[Updated in August 2016]

  • Message: SSL0235W: Handshake Failed, Invalid peer.
  • Message: SSL0236W: Handshake Failed, Permission denied.
  • Message: SSL0237W: Handshake Failed, The self-signed certificate is not valid.
  • Message: SSL0238E: Handshake Failed, Internal error - read failed.
    • Reason: The read failed.
    • Solution: None. Report this error to IBM Support.
  • Message: SSL0239E: Handshake Failed, Internal error - write failed.
    • Reason: The write failed.
    • Solution: None. Report this error to IBM Support.
  • Message: SSL0240I: Handshake Failed, Socket has been closed.
    • Reason: The client closed the socket before the protocol completed.
    • Solution: Retry connection between client and server.
  • Message: SSL0241E: Handshake Failed, Invalid SSLV2 Cipher Spec.
    • Reason: The SSL Version 2 cipher specifications passed into the handshake were invalid.
    • Solution: Change the specified Version 2 cipher specs.
  • Message: SSL0242E: Handshake Failed, Invalid SSLV3 Cipher Spec.
    • Reason: The SSL Version 3 cipher specifications passed into the handshake were invalid.
    • Solution: Change the specified Version 3 cipher specs.
  • Message: SSL0243E: Handshake Failed, Invalid security type.
    • Reason: There was an internal error in the SSL library.
    • Solution: Retry the connection from the client. If the error continues, report the problem to IBM Support.
  • Message: SSL0245E: Handshake Failed, Internal error - SSL Handle creation failure.
    • Reason: There was an internal error in the security libraries.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0246E: Handshake Failed, Internal error - GSK initialization has failed.
    • Reason: An error in the security library has caused SSL initialization to fail.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0247E: Handshake Failed, LDAP server not available.
    • Reason: Unable to access the specified LDAP directory when validating a certificate.
    • Solution: Check that the SSLCRLHostname and SSLCRLPort directives are correct. Make sure the LDAP server is available.
  • Message: SSL0248E: Handshake Failed, The specified key did not contain a private key.
    • Reason: The key does not contain a private key.
    • Solution: Create a new key. If this was an imported key, include the private key when doing the export.
  • Message: SSL0249E: Handshake Failed, A failed attempt was made to load the specified PKCS#11 shared library.
    • Reason: An error occurred while loading the PKCS#11 shared library.
    • Solution: Verify that the PKCS#11 shared library specified in the SSLPKCSDriver directive is valid.
  • Message: SSL0250E: Handshake Failed, The PKCS#11 driver failed to find the token label specified by the caller.
    • Reason: The specified token was not found on the PKCS#11 device.
    • Solution: Check that the token label specified on the SSLServerCert directive is valid for your device.
  • Message: SSL0251E: Handshake Failed, A PKCS#11 token is not present for the slot.
    • Reason: The PKCS#11 device has not been initialized correctly.
    • Solution: Specify a valid slot for the PKCS#11 token or initialize the device.
  • Message: SSL0252E: Handshake Failed, The password/pin to access the PKCS#11 token is either not present, or invalid.
    • Reason: Specified user password and pin for PKCS#11 token is not present or invalid.
    • Solution: Check that the correct password was stashed using the SSLStash utility and that the SSLStashfile directive is correct.
  • Message: SSL0253E: Handshake Failed, The SSL header received was not a properly SSLV2 formatted header.
    • Reason: The data received during the handshake does not conform to the SSLV2 protocol.
    • Solution: Retry connection between client and server. Verify that the client is using HTTPS.
  • Message: SSL0254E: Internal error - I/O failed, buffer size invalid.
    • Reason: The buffer size in the call to the I/O function is zero or negative.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0255E: Handshake Failed, Operation would block.
    • Reason: The I/O failed because the socket is in non-blocking mode.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0256E: Internal error - SSLV3 is required for reset_cipher, and the connection uses SSLV2.
    • Reason: A reset_cipher function was attempted on an SSLV2 connection.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0257E: Internal error - An invalid ID was specified for the gsk_secure_soc_misc function call.
    • Reason: An invalid value was passed to the gsk_secure_soc_misc function.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0258E: Handshake Failed, The function call, <function>, has an invalid ID.
    • Reason: An invalid function ID was passed to the specified function.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0259E: Handshake Failed, Internal error - The attribute has a negative length in: <function>.
    • Reason: The length value passed to the function is negative, which is invalid.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0260E: Handshake Failed, The enumeration value is invalid for the specified enumeration type in: <function>.
    • Reason: The function call contains an invalid function ID.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0261E: Handshake Failed, The SID cache is invalid: <function>.
    • Reason: The function call contains an invalid parameter list for replacing the SID cache routines.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0262E: Handshake Failed, The attribute has an invalid numeric value: <function>.
    • Reason: The function call contains an invalid value for the attribute being set.
    • Solution: None. Report this problem to IBM Support.
  • Message: SSL0263W: SSL Connection attempted when SSL did not initialize.
    • Reason: A connection was received on an SSL-enabled virtual host but it could not be completed because there was an error during SSL initialization.
    • Solution: Check for an error message during startup and correct that problem.
  • Message: SSL0264E: Failure obtaining Cert data for label <certificate>.
    • Reason: A GSKit error prevented the server certificate information from being retrieved.
    • Solution: Check for a previous error message with additional information.
  • Message: SSL0265W: Client did not supply a certificate.
    • Reason: A client who connected failed to send a client certificate and the server is configured to require a certificate.
    • Solution: Nothing on the server side.
  • Message: SSL0266E: Handshake failed.
    • Reason: Could not establish SSL proxy connection.
    • Solution: IBM HTTP Server could not establish a proxy connection to a remote server using SSL.
  • Message: SSL0267E: SSL Handshake failed.
    • Reason: Timeout on network operation during handshake.
    • Solution: Check client connectivity, adjust TimeOuts.
  • Message: SSL0270I: SSL Handshake Failed, Timeout (dd seconds) occurred before any data received.
    • Reason: A connection was received on an SSL port, but no data was received from the client before the timeout expired.
    • Solution: If the timeout (set by the Timeout directive) has been reduced from the default value, verify that it is reasonable. If the message occurs intermittently, it is probably normal, due to things like users cancelling page loads and browser or system crashes. If the message occurs in bursts, it might indicate a denial of service attack in progress.
  • Message: SSL0271I: SSL Handshake Failed, client closed connection without sending any data.
    • Reason: A connection was received on an SSL port, but the client closed the connection without beginning the handshake.
    • Solution: If the timeout (set by the Timeout directive) has been reduced from the default value, verify that it is reasonable. If the message occurs intermittently, it is probably normal, due to things like users cancelling page loads and browser or system crashes. If the message occurs in bursts, it might indicate a denial of service attack in progress.
  • Message: SSL0272I: SSL Handshake Failed, I/O error before any data received.
    • Reason: A connection was received on an SSL port, but a network error broke the connection before any data was received from the client.
    • Solution: If the message occurs intermittently, it is probably normal, due to things like users cancelling page loads and browser or system crashes. If the message occurs in bursts, it might indicate a denial of service attack in progress.
  • Message: SSL0273I: Non-SSL request received on connection configured for SSL
    • Reason: A connection was received on an SSL port, but the data received was not SSL, and looked like a normal non-SSL request.
    • Solution: Verify that the port in question is intended to be configured for SSL. Look for bad links to the page in question that should use https:, but instead use http:.
  • Message: SSL0273I: Non-SSL request received on connection configured for SSL
    • Reason: A connection was received on an SSL port, but the data received was not SSL, and looked like a normal non-SSL request.
    • Solution: Verify that the port in question is intended to be configured for SSL. Look for bad links to the page in question that should use https:, but instead use http:.
  • Message: SSL0276E: SSL: Unexpected SSL client renegotiation detected, aborting SSL connection.
    • Reason: SSL client renegotiation was attempted, but the configuration does not allow SSL renegotiation. Thus, the SSL connection was stopped.
    • Solution: Retry the connection between the client and the server. Configure the connection to allow SSL renegotiation only if necessary. Be aware of the risk. If proprietary clients require SSL renegotiation to function, update them to establish new connections.
Reference topic    

Terms and conditions for product documentation | Feedback

Last updated: January 28, 2018 08:56 PM GMT-06:00
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=ihs-dist&topic=rihs_troubhandmsg
File name: rihs_troubhandmsg.html