Thanks for that explanation, Alan. I really haven't been keeping up with
all of the latest rules and regs for security. Maybe I need to figure
out how to run my own DNS here so I can map things like names to local
IP addresses.
Take care.
DJ
---
BEST REGARDS
DAVE JONES IBM CHAMPION [2]
Managing Director for zSystems Support, zLinux, and Cloud
++1 281.578.7544 (Cell)
Web: www.itconline.com [3]
18502 Purdy Ct. Houston, TX 77084 USA
On 04.07.2022 8:28 AM, Alan Altmark wrote:
> As an aside, when using TLS, you should be using the host name, not the IP
> address in a client. A browser like FF will validate what you typed against
> what is in the server certificate and they won't match, so you'll get a
> warning. That's fine for interactive applications, but not so much for
> scripts.
>
> And, yeah, I've also been bitten by failing to use the right protocol on the
> right port. That's one reason that the IETF no longer approves "dual port"
> configurations such as we have with HTTP v. HTTPS. They now require that
> protocols include a "START TLS" negotiation mechanism on a single port.
>
> Regards,
> Alan
>
> Alan Altmark
> Senior Managing z/VM Consultant
> IBM Systems Lab Services
> 1 607 321 7556 Mobile
> [email protected]
>
> -----Original Message-----
> From: CMSTSO Pipelines Discussion List <[email protected]>
> On Behalf Of Dave Jones
> Sent: Thursday, April 7, 2022 10:56 AM
> To: [email protected]
> Subject: [EXTERNAL] Re: [CMS-PIPELINES] SSL/TLS question with tcpdata
>
> OK, I found the problem, due to Rob's suggestion. If I point Firefox to this
> URL:
>
> INVALID URI REMOVED
> 3A2080_&d=DwICAg&c=jf_iaSHvJObTbx-
> siA1ZOg&r=XX3LPhXj6Fv4hkzdpbonTd1gcy88ea-
> vqLQGEWWoD4M&m=vRDZALnTjxsV5WTUVCuIvHk58HlYnga5rs4SoXB84-
> o&s=9SsmkIrwPmON_SBVNl7MRk79qiXNCdyGMaDIJHfyb8o&e=
>
> it works as designed. I was just using 192.168.128.118:2080 before.
>
> Many thanks.
>
> DJ
>
> ---
> BEST REGARDS
>
> DAVE JONES IBM CHAMPION [1]
> Managing Director for zSystems Support, zLinux, and Cloud
> ++1 281.578.7544 (Cell)
> Web: www.itconline.com [1] [2]
> 18502 Purdy Ct. Houston, TX 77084 USA
>
> On 04.07.2022 7:14 AM, Rob van der Heij wrote:
>
> On Thu, 7 Apr 2022 at 16:02, Dave Jones <[email protected]> wrote:
>
> FPLTCQ1015E ERRNO 10410: 10410
> FPLMSG004I ... Issued from stage 3 of pipeline 3 name
"WEENYWEB.REXX:7"
>> FPLMSG001I ... Running "tcpdata TLSLABEL SMBSSI"
>>
>> Turns out that the SSL error number 410 means "SSL message format is
>> incorrect.".
>>
>> How can I troubleshoot this so I can get weenyweb to work? Any ideas
>> on what's wrong here?
>
> No idea :-) I suspect the browser isn't trying an SSL connection. I
> trust you made it listen to port 443 before you got here... Since the
> magic is all happening outside your virtual machine, you'd have to
> enable the trace in the SSL server. There's nothing in CMS Pipelines to see.
>
> An easier trick that might help is to remove the TLSLABEL option and
> capture the data coming out of TCPDATA. I've done that before to find
> that the browser was stubborn and "fixed" URL that I provided. It's
> possible that the browser doesn't like the certificate or ciphers that
> you offer, and decides to try something else. The 'developer options'
> in the browser may also show some info. Alternatively, set up a TCP/IP
> proxy with CMS Pipelines and prepare to get complaints about the
> person-in-the-middle attack.
>
> Sir Rob the Plumber
Links:
------
[1]
INVALID URI REMOVED
3A__www.credly.com_badges_7c92e732-2D8ab1-2D4470-2D98c6-
2D251c33506d69_public-5Furl&d=DwICAg&c=jf_iaSHvJObTbx-
siA1ZOg&r=XX3LPhXj6Fv4hkzdpbonTd1gcy88ea-
vqLQGEWWoD4M&m=vRDZALnTjxsV5WTUVCuIvHk58HlYnga5rs4SoXB84-
o&s=AHVtnzdUm_SG3DbENPViRUFqSc6dk6W-gL-0X4pVNKY&e=
[2] INVALID URI REMOVED
3A__www.itconline.com_&d=DwICAg&c=jf_iaSHvJObTbx-
siA1ZOg&r=XX3LPhXj6Fv4hkzdpbonTd1gcy88ea-
vqLQGEWWoD4M&m=vRDZALnTjxsV5WTUVCuIvHk58HlYnga5rs4SoXB84-
o&s=lwrK4ZBjxJUNqq2FXE4usLK8LDHPzyKwpz7UoiEbAi4&e=
Links:
------
[1] http://www.itconline.com
[2]
https://www.credly.com/badges/7c92e732-8ab1-4470-98c6-251c33506d69/public_url
[3] http://www.itconline.com/
