Wow, @Phil, thanks for the kind words. I am a BIG fan of GSKSSL (z/OS Cryptographic Services System SSL), having also used the "competition" -- OpenSSL. GSKSSL's general approach to errors and settings is far superior IMHO to OpenSSL's. Far less prone to inadvertent stupidities that create security vulnerabilities.
That said, one of the big flaws of GSKSSL is that to do any serious problem determination you have to run a GSK trace, which is a little bit of a PITA of its own, particularly if the GSKSSL calls are buried in some other product. When you ran a System SSL trace on Phil's problem it turns out the first error -- the error returned by ICSF callable services -- was BFE (3070) A cryptographic operation that requires FIPS 140-2 compliance is being requested. The desired algorithm, mode, or key size is not approved for FIPS 140-2. Bingo! Easy problem, once you know what the problem is. I wish there were an easier way. Charles On Sun, 28 Apr 2024 21:11:20 -0400, Phil Smith III <phs...@gmail.com> wrote: >Interesting, thanks. In this case, a gsktrace showed that it was failing GCM >AES in the handshake. A reminder by Charles Mills led me to look at the top of >the trace, and they had FIPS enabled. GCM and FIPS don't get along. > >So while the answers were correct, they actually wouldn't have led me to the >solution; Charles, however, did! > >What we really need is BPXMILLS, I guess... > >-----Original Message----- >From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of >Ramsey Hallman >Sent: Sunday, April 28, 2024 5:52 PM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: Re: Hex error code interpreter? > >Colin, MVS/Quickref definitely has the IBM z/OS Cryptographic Services System >SSL messages. If you have access to Quickref, simply leave the "0x" >off of the message (as the codes are presented within the IBM >documentation) and search for an item of 03353084: > > ----------------------------------------- V=IBM P=Z/OS CRYPTO SSL MSGS >R=V3R1 I=03353084 > ********************* Text Below Copyright (c) 2024, IBM >********************* >03353084 ICSF callable service returned an error. > > > >Explanation > >Ensure that ICSF is operating correctly and if access to the ICSF callable > >services are protected with CSFSERV class profiles that the user ID of the > >application has READ access to the profiles protecting the ICSF callable > >services. See Table 5 on page 15or Table 6 on page 16 for information about > >the required resource profile access. If the problem persists, collect a > >System SSL trace and contact your service representative. > > > >User response > >Ensure that ICSF is operating correctly and that the user ID of the > >application has appropriate access to the CSFSERV class RACF resource > >profiles. See Table 5 on page 15 or Table 6 on page 16 for information about >required resource profile access. Collect a System SSL trace and verify the > >ICSF return code and reason code relating to the error. See z/OS Cryptographic >Services ICSF Application Programmer's Guide for more information about ICSF >return and reason codes. If the problem persists contact your service > >representative. > > >Ramsey Hallman >MVS/Quickref Support Group > >On Sat, Apr 27, 2024 at 7:09 AM Colin Paice < >0000059d4daca697-dmarc-requ...@listserv.ua.edu> wrote: > >> See gsk_strerror() >> <https://www.ibm.com/docs/en/zos/2.4.0?topic=reference-gsk-strerror> >> >> On Fri, 26 Apr 2024 at 23:16, Phil Smith III <li...@akphs.com> wrote: >> >> > Did I dream it, or is there some utility that can take an error such >> > as >> > gsk_encrypt_tls13_record(): AES GCM Encryption failed: Error >> > 0x03353084 and interpret the 0x03353084? I swear I remember seeing >> > this but can't find it now. Getting old sucks*. >> > >> > *But consider the alternatives. >> > >> > -------------------------------------------------------------------- >> > -- For IBM-MAIN subscribe / signoff / archive access instructions, >> > send email to lists...@listserv.ua.edu with the message: INFO >> > IBM-MAIN >> > >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, send >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, send email to >lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
