On Thursday, 09/01/2016 at 12:00 GMT, Marcy Cortes <[email protected]> wrote: > So this is application to application SSL - no end users involved so that simplifies things > somewhat at least as far as sw levels and algorithms involved. > The error one client application is getting is (Yes, this client is CICS) > > DFHSO0123 02/24/2016 10:46:21 CICSP6JA Return code 411 received from function > 'gsk_secure_socket_init' of System SSL. > 411 > Message authentication code is incorrect. > Explanation: > The message authentication code (MAC) for a message is not correct. This indicates the message was > modified during transmission.
The really bizarre part is that gsk_secure_socket_init() is the initial handshake. No app data is moving at this point. It would imply that the two ends have agreed on a cipher suite, including MAC generation, but if there is no corruptions, the two sides are doing MAC calculations differently. I think you're going to have to get (external) sniffer traces on traffic between CICS and IHS. The bad handshake is going to have to be fed to a decode program that can use the server private key to decode the handshake and see if Linux is generating a bad MAC. (I don't know of such tools, but would be surprised if they don't exist.) If it's correct, then System SSL on z/OS is messed up. One would think that the same cipher suite between the same two hosts would give consistent failures, but perhaps that Linux error is causing a bad MAC. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
