Thanks Keith, and the only error messages was this: >> M 4100000 aaaa 20320 14:22:03.02 STC09624 00000090 EZZ6034I TN3270 >> CONN 0000025C LU **N/A** CONN DROP ERR 100B 864 >> E 864 00000090 IP..PORT: >> ::FFFF:xx.xx.xx.xx..53084 EZBTTRCV
And I am working on changing the TTLSConnectionAction to CtraceClearText(ON) and Trace(254). Jerry -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Keith Gooding Sent: Monday, November 16, 2020 9:39 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Need some help with SSL error This message was sent from an external source outside of Western & Southern's network. Do not click links or open attachments unless you recognize the sender and know the contents are safe. ________________________________________________________________________________________________________________________ Did you get any messages from AT-TLS (prefix EZY) ?. Trace level 7 should cause error messages to appear on the job log in addition to the unix syslog. Maybe the rule is not being triggered. If you are able to increase the trace level to 31 you should be able to see what System SSL options were set by At-Tls (if the rule was triggered) . The debug messages are sent to syslogd. . Keith Gooding > On 16 Nov 2020, at 14:24, Joe Monk <joemon...@gmail.com> wrote: > > Error 100B: > > 100B Unexpected SSL handshake encountered.An SSL handshake header was > encountered on a basic port or the client immediately entered an SSL > handshake for a CONNTYPE option value other than SECURE or ANY. Verify > that the client and port settings are compatible. > A quick google found this: > > https://www.ibm.com/support/pages/zos-communications-server-tls-needed > -implement-tls-v12 > > Joe > > > > >> On Mon, Nov 16, 2020 at 6:27 AM Edgington, Jerry < >> jerry.edging...@westernsouthernlife.com> wrote: >> >> I need some help, please. We have an automated system, using TN3270 >> screen scraping. Over the weekend, we IPL'ed, first time in April, >> 2020 and now, when this "automated" system/client tries to connect >> over TN3270, we are getting this error message: >> >> M 4100000 aaaa 20320 14:22:03.02 STC09624 00000090 EZZ6034I TN3270 >> CONN 0000025C LU **N/A** CONN DROP ERR 100B 864 >> E 864 00000090 IP..PORT: >> ::FFFF:xx.xx.xx.xx..53084 EZBTTRCV >> >> The AT/TLS policy has changed since August, 2020. And we only have >> TLS >> v1.2 turned on for only specific inbound IP addresses. We are >> running z/OS v2.1, at this point >> >> Any suggestions, help or ideas, would be great. >> >> Thanks, >> Jerry Edgington >> >> Here is the AT/TLS policy. I have masked the names for security reasons. >> ##------------------------------------------------------------------- >> ## Rules for yyy servers using xxxxxx IP over port 923 >> ##------------------------------------------------------------------- >> TTLSRule yyy-xxxxxx-SSL >> { >> LocalAddrGroupRef xxxxx-Ip-Addr >> RemoteAddrGroupRef yyy-Server-IpAddr >> LocalPortRange 923 >> RemotePortRangeRef Port-Remote >> Direction Inbound >> Priority 500 >> TTLSGroupActionRef gAct1 >> TTLSEnvironmentActionRef eAct1 >> TTLSConnectionActionRef cAct-xxxxx >> } >> >> TTLSConnectionAction cAct-xxxxx >> { >> HandshakeRole Server >> TTLSCipherParmsRef cipher1~Default_Ciphers >> TTLSConnectionAdvancedParmsRef cAdv-xxxxxx >> CtraceClearText Off >> Trace 7 >> } >> >> TTLSConnectionAdvancedParms cAdv-xxxx >> { >> HandshakeTimeout 30 >> CertificateLabel ATTLS >> SecondaryMap Off >> TLSv1.2 On >> ApplicationControlled On >> } >> >> TTLSEnvironmentAction eAct1 >> { >> HandshakeRole Server >> EnvironmentUserInstance 0 >> TTLSKeyringParmsRef keyR~ZOS112 >> } >> >> >> ##------------------------------------------------------------------- >> ## IP Address for yyy Servers >> ##------------------------------------------------------------------- >> IpAddrGroup yyy-Server-IpAddr { >> IpAddr >> { >> Addr xx.xx.xx.xx >> } >> } >> >> ##------------------------------------------------------------------- >> ## Ports Remote >> ##------------------------------------------------------------------- >> PortRange Port-Remote >> { >> Port 1024-65535 >> } >> >> --------------------------------------------------------------------- >> - For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO >> IBM-MAIN >> > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
