This topic contains error messages that might result due
to SSL handshake failures and provides solutions to help you troubleshoot
these problems.
The following messages display due to handshake failures:
Message: SSL0192W: IBM HTTP Server is
configured to permit client renegotiation which is vulnerable to
man-in-the-middle attacks <servername:port>
- Reason: IBM HTTP Server is configured to allow client handshake
renegotiation using the SSLRenegotiation directive. This configuration
is vulnerable to man-in-the middle attacks. Use this configuration
only if it is necessary for your client and be aware of the risk.
For more information about the exposure, refer to the public documentation
about CVE-2009-3555.
- Solution: Remove the SSLRenegotiation directive or set the directive
to OFF to avoid the vulnerability. If proprietary clients require
SSL renegotiation to function, update these clients to establish new
connections.
Message: SSL0193W: Error setting GSK_NO_RENEGOTIATION
to <GSK_TRUE | GSK_FALSE> <errorcode>
- Reason: An error occurred when the server attempted to disable
client renegotiation. This setting is the default value. However,
this value is also set if you specify the SSLRenegotiation directive
with an OFF value.
- Solution: Report this problem to IBM Support.
Message: SSL0196I: Security library does
not support GSK_SESSION_RESET_CALLBACK, rejecting insecure SSL client
renegotiation by monitoring SIDs
- Reason: When the server attempted to disable client renegotiation,
it was determined that the security library on this system does not
support GSK_SESSION_RESET_CALLBACK. It will be configured to reject
insecure SSL client renegotiation using an alternate mechanism of
monitoring SIDs.
- Solution: This informational message does not indicate a failure,
but it reports a configuration condition. An action is not necessary.
You can upgrade to a newer z/OS security library that includes support
for GSK_SESSION_RESET_CALLBACK or for disabling SSL client renegotiation.
Message: SSL0197I: Configured security
library to reject insecure SSL client renegotiation.
- Reason: The security library has been successfully configured
to reject client renegotiation.
- Solution: This informational message does not indicate a failure,
but it reports a particular configuration setting. An action is not
necessary.
Message: SSL0198I: System is running
without a security library capable of directly rejecting insecure
SSL client renegotiation. Aborting HTTPS requests that span SSL sessions
- Reason: While the server attempted to disable client renegotiation,
it was determined that the security library on this system does not
support directly rejecting SSL client renegotiation. It will be configured
to use an alternate callback mechanism.
- Solution: This informational message does not indicate a failure,
but it reports a configuration condition. An action is not necessary.
For z/OS systems, upgrade to a newer security library that includes
support for GSK_SESSION_RESET_CALLBACK or for disabling SSL client
renegotiation. For distributed systems, upgrade to GSKit Version 7.0.4.27
or later.
- Message: SSL0200E: Handshake Failed, <code>.
- Reason: The handshake failed when the SSL library returned an
unknown error.
- Solution: Report this problem to IBM Support.
- Message: SSL0201E: Handshake Failed, Internal error - Bad handle.
- Reason: An internal error has occurred.
- Solution: Report this problem to IBM Support.
- Message: SSL0202E: Handshake Failed, The GSK library unloaded.
- Reason: A call to the GSKit function failed because the dynamic
link library unloaded (Windows® operating
systems only).
- Solution: Shut down the server and restart.
- Message: SSL0203E: Handshake Failed, GSK internal error.
- Reason: The communication between client and the server failed
due to an error in the GSKit library.
- Solution: Retry connection from the client. If the error continues,
report the problem to IBM Support.
- Message: SSL0204E: Handshake Failed, Internal memory allocation
failure.
- Reason: The server could not allocate memory needed to complete
the operation.
- Solution: Take action to free up some additional memory. Try reducing
the number of threads or processes running, or increasing virtual
memory.
- Message: SSL0205E: Handshake Failed, GSK handle is in an invalid
state for operation.
- Reason: The SSL state for the connection is invalid.
- Solution: Retry connection from the client. If the error continues,
report the problem to IBM Support.
- Message: SSL0206E: Handshake Failed, Key-file label not found
- Reason: The label specified for the SSLServerCert directive was
not found in the key database (KDB) file specified for the KeyFile
directive.
- Solution: Specify a value for the SSLServerCert directive that
corresponds to a personal certificate available in the KDB file specified
for the KeyFile directive
- Message: SSL0207E: Handshake Failed, Certificate is not available.
- Reason: The client did not send a certificate.
- Solution: Set client authentication to optional if a client certificate
is not required. Contact the client to determine why it is not sending
an acceptable certificate.
- Message: SSL0208E: Handshake Failed, Certificate validation
error.
- Reason: The received certificate failed one of the validation
checks.
- Solution: Use another certificate. Contact IBM Support to determine
why the certificate failed validation.
- Message: SSL0209E: Handshake Failed, ERROR processing cryptography.
- Reason: A cryptography error occurred.
- Solution: None. If the problem continues, report it to IBM Support.
- Message: SSL0210E: Handshake Failed, ERROR validating ASN fields
in certificate.
- Reason: The server was not able to validate one of the ASN fields
in the certificate.
- Solution: Try another certificate.
- Message: SSL0211E: Handshake Failed, ERROR connecting to LDAP
server.
- Reason: The Web server failed to connect to the CRL LDAP server.
- Solution: Verify that the values entered for the SSLCRLHostname
and SSLCRLPort directives are correct. If access to the CRL LDAP server
requires authentication, is the SSLCRLUserID directive coded and was
the password added to the stash file pointed to by the SSLStashfile
directive.
- Message: SSL0212E: Handshake Failed, Internal unknown error.
- Reason: An unknown error has occurred in the SSL library.
- Solution: Report the problem to IBM Support.
- Message: SSL0213E: Handshake Failed, Open failed due to cipher
error.
- Reason: An unknown error has occurred in the SSL library.
- Solution: Report the problem to IBM Support.
- Message: SSL0214E: Handshake Failed, I/O error reading key
file.
- Reason: The server could not read the key database file.
- Solution: Check file access permissions and verify the Web server
user ID is allowed access.
- Message: SSL0215E: Handshake Failed, Key file has an invalid
internal format. Recreate key file.
- Reason: Key file has an invalid format.
- Solution: Recreate key file.
- Message: SSL0216E: Handshake Failed, Key file has two entries
with the same key. Use IKEYMAN to remove the duplicate key.
- Reason: Two identical keys exist in key file.
- Solution: Use IKEYMAN to remove duplicate key.
- Message: SSL0217E: Handshake Failed, Key file has two entries
with the same label. Use IKEYMAN to remove the duplicate label.
- Reason: A second certificate with the same label was placed in
the key database file.
- Solution: Use IKEYMAN to remove duplicate label.
- Message: SSL0218E: Handshake failed, Either the key file has
become corrupted or the password is incorrect.
- Reason: The key file password is used as an integrity check and
the test failed. Either the key database file is corrupted, or the
password is incorrect.
- Solution: Use IKEYMAN to stash the key database file password
again. If that fails, recreate the key database.
- Message: SSL0219E: SSL Handshake Failed, Either the default
key in the keyfile has an expired certificate or the keyfile password
expired. Use iKeyman to renew or remove certificates that are expired
or to set a new keyfile password.
- Reason: Either the default key in the keyfile has an expired certificate
or the keyfile password expired.
- Solution: Use iKeyman to renew or remove certificates that are
expired or to set a new keyfile password.
- Message: SSL0220E: Handshake Failed, There was an error loading
one of the GSKdynamic link libraries. Be sure GSK was installed correctly.
- Reason: Opening the SSL environment resulted in an error because
one of the GSKdynamic link libraries could not load.
- Solution: Contact Support to make sure the GSKit is installed
correctly.
- Message: SSL0221E: Handshake Failed, Either the certificate
has expired or the system clock is incorrect.
- Reason: Either the certificate expired or the system clock is
incorrect.
- Solution: Use the key management utility (iKeyman) to recreate
or renew your server certificate or change the system date to a valid
date.
- Message: SSL0222W: Handshake failed, no ciphers specified.
- Reason: SSLV2 and SSLV3 are disabled.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0223E: Handshake Failed, No certificate.
- Message: SSL0224E: Handshake failed, Invalid or improperly
formatted certificate.
- Reason: The client did not specify a valid certificate.
- Solution: Client problem.
- Message: SSL0225E: Handshake Failed, Unsupported certificate
type.
- Reason: The certificate type received from the client is not supported
by this version of IBM® HTTP Server SSL.
- Solution: The client must use a different certificate type.
- Message: SSL0226I: Handshake Failed, I/O error during handshake.
- Reason: The communication between the client and the server failed.
This is a common error when the client closes the connection before
the handshake has completed.
- Solution: Retry the connection from the client.
- Message: SSL0227E: Handshake Failed, Specified label could
not be found in the key file.
- Reason: Specified key label is not present in key file.
- Solution: Check that the SSLServerCert directive is correct, if
coded, and that the label is valid for one of the keys in the key
database.
- Message: SSL0228E: Handshake Failed, Invalid password for key
file.
- Reason: The password retrieved from the stash file could not open
the key database file.
- Solution: Use IKEYMAN to open the key database file and recreate
the password stash file. This problem can also result from a corrupted
key database file. Creating a new key database file may resolve the
problem.
- Message: SSL0229E: Handshake Failed, Invalid key length for
export.
- Reason: In a restricted cryptography environment, the key size
is too long to be supported.
- Solution: Select a certificate with a shorter key.
- Message: SSL0230I: Handshake Failed, An incorrectly formatted
SSL message was received.
- Message: SSL0231W: Handshake Failed, Could not verify MAC.
- Reason: The communication between the client and the server failed.
- Solution: Retry the connection from the client.
- Message: SSL0232W: Handshake Failed, Unsupported SSL protocol
or unsupported certificate type.
- Reason: The communication between the client and the server failed
because the client is trying to use a protocol or certificate which
the IBM HTTP Server does not support.
- Solution: Retry the connection from the client using an SSL Version
2 or 3, or TLS 1 protocol. Try another certificate.
- Message: SSL0233W: Handshake Failed, Invalid certificate signature.
- Message: SSL0234W: Handshake Failed, The certificate sent by
the peer expired or is invalid.
- Reason: The partner did not specify a valid certificate. The
server is acting as a reverse proxy to an SSL URL and the _server_
cert could not be validated.
- Solution: Partner problem. If this occurs during an SSL Proxy
connection, the remote SSL server sent a bad certificate to IBM HTTP
Server. Check the certificate and certificate authority chain at the
other end of the SSL connection. For more information, see Securing with SSL communications.
- Message: SSL0235W: Handshake Failed, Invalid peer.
- Message: SSL0236W: Handshake Failed, Permission denied.
- Message: SSL0237W: Handshake Failed, The self-signed certificate
is not valid.
- Message: SSL0238E: Handshake Failed, Internal error - read
failed.
- Reason: The read failed.
- Solution: None. Report this error to IBM Support.
- Message: SSL0239E: Handshake Failed, Internal error - write
failed.
- Reason: The write failed.
- Solution: None. Report this error to IBM Support.
- Message: SSL0240I: Handshake Failed, Socket has been closed.
- Reason: The client closed the socket before the protocol completed.
- Solution: Retry connection between client and server.
- Message: SSL0241E: Handshake Failed, Invalid SSLV2 Cipher Spec.
- Reason: The SSL Version 2 cipher specifications passed into the
handshake were invalid.
- Solution: Change the specified Version 2 cipher specs.
- Message: SSL0242E: Handshake Failed, Invalid SSLV3 Cipher Spec.
- Reason: The SSL Version 3 cipher specifications passed into the
handshake were invalid.
- Solution: Change the specified Version 3 cipher specs.
- Message: SSL0243E: Handshake Failed, Invalid security type.
- Reason: There was an internal error in the SSL library.
- Solution: Retry the connection from the client. If the error continues,
report the problem to IBM Support.
- Message: SSL0245E: Handshake Failed, Internal error - SSL Handle
creation failure.
- Reason: There was an internal error in the security libraries.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0246E: Handshake Failed, Internal error - GSK initialization
has failed.
- Reason: An error in the security library has caused SSL initialization
to fail.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0247E: Handshake Failed, LDAP server not available.
- Reason: Unable to access the specified LDAP directory when validating
a certificate.
- Solution: Check that the SSLCRLHostname and SSLCRLPort directives
are correct. Make sure the LDAP server is available.
- Message: SSL0248E: Handshake Failed, The specified key did
not contain a private key.
- Reason: The key does not contain a private key.
- Solution: Create a new key. If this was an imported key, include
the private key when doing the export.
- Message: SSL0249E: Handshake Failed, A failed attempt was made
to load the specified PKCS#11 shared library.
- Reason: An error occurred while loading the PKCS#11 shared library.
- Solution: Verify that the PKCS#11 shared library specified in
the SSLPKCSDriver directive is valid.
- Message: SSL0250E: Handshake Failed, The PKCS#11 driver failed
to find the token label specified by the caller.
- Reason: The specified token was not found on the PKCS#11 device.
- Solution: Check that the token label specified on the SSLServerCert
directive is valid for your device.
- Message: SSL0251E: Handshake Failed, A PKCS#11 token is not
present for the slot.
- Reason: The PKCS#11 device has not been initialized correctly.
- Solution: Specify a valid slot for the PKCS#11 token or initialize
the device.
- Message: SSL0252E: Handshake Failed, The password/pin to access
the PKCS#11 token is either not present, or invalid.
- Reason: Specified user password and pin for PKCS#11 token is not
present or invalid.
- Solution: Check that the correct password was stashed using the
SSLStash utility and that the SSLStashfile directive is correct.
- Message: SSL0253E: Handshake Failed, The SSL header received
was not a properly SSLV2 formatted header.
- Reason: The data received during the handshake does not conform
to the SSLV2 protocol.
- Solution: Retry connection between client and server. Verify that
the client is using HTTPS.
- Message: SSL0254E: Internal error - I/O failed, buffer size
invalid.
- Reason: The buffer size in the call to the I/O function is zero
or negative.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0255E: Handshake Failed, Operation would block.
- Reason: The I/O failed because the socket is in non-blocking mode.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0256E: Internal error - SSLV3 is required for reset_cipher,
and the connection uses SSLV2.
- Reason: A reset_cipher function was attempted on an SSLV2 connection.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0257E: Internal error - An invalid ID was specified
for the gsk_secure_soc_misc function call.
- Reason: An invalid value was passed to the gsk_secure_soc_misc
function.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0258E: Handshake Failed, The function call, <function>,
has an invalid ID.
- Reason: An invalid function ID was passed to the specified function.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0259E: Handshake Failed, Internal error - The attribute
has a negative length in: <function>.
- Reason: The length value passed to the function is negative, which
is invalid.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0260E: Handshake Failed, The enumeration value
is invalid for the specified enumeration type in: <function>.
- Reason: The function call contains an invalid function ID.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0261E: Handshake Failed, The SID cache is invalid: <function>.
- Reason: The function call contains an invalid parameter list for
replacing the SID cache routines.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0262E: Handshake Failed, The attribute has an invalid
numeric value: <function>.
- Reason: The function call contains an invalid value for the attribute
being set.
- Solution: None. Report this problem to IBM Support.
- Message: SSL0263W: SSL Connection attempted when SSL did not
initialize.
- Reason: A connection was received on an SSL-enabled virtual host
but it could not be completed because there was an error during SSL
initialization.
- Solution: Check for an error message during startup and correct
that problem.
- Message: SSL0264E: Failure obtaining Cert data for label <certificate>.
- Reason: A GSKit error prevented the server certificate information
from being retrieved.
- Solution: Check for a previous error message with additional information.
- Message: SSL0265W: Client did not supply a certificate.
- Reason: A client who connected failed to send a client certificate
and the server is configured to require a certificate.
- Solution: Nothing on the server side.
- Message: SSL0266E: Handshake failed.
- Reason: Could not establish SSL proxy connection.
- Solution: IBM HTTP Server could not establish a proxy connection
to a remote server using SSL.
- Message: SSL0267E: SSL Handshake failed.
- Reason: Timeout on network operation during handshake.
- Solution: Check client connectivity, adjust TimeOuts.
- Message: SSL0270I: SSL Handshake Failed, Timeout (dd seconds)
occurred before any data received.
- Reason: A connection was received on an SSL port, but no data
was received from the client before the timeout expired.
- Solution: If the timeout (set by the Timeout directive) has been
reduced from the default value, verify that it is reasonable. If
the message occurs intermittently, it is probably normal, due to things
like users cancelling page loads and browser or system crashes. If
the message occurs in bursts, it might indicate a denial of service
attack in progress.
- Message: SSL0271I: SSL Handshake Failed, client closed connection
without sending any data.
- Reason: A connection was received on an SSL port, but the client
closed the connection without beginning the handshake.
- Solution: If the timeout (set by the Timeout directive) has been
reduced from the default value, verify that it is reasonable. If
the message occurs intermittently, it is probably normal, due to things
like users cancelling page loads and browser or system crashes. If
the message occurs in bursts, it might indicate a denial of service
attack in progress.
- Message: SSL0272I: SSL Handshake Failed, I/O error before any
data received.
- Reason: A connection was received on an SSL port, but a network
error broke the connection before any data was received from the client.
- Solution: If the message occurs intermittently, it is probably
normal, due to things like users cancelling page loads and browser
or system crashes. If the message occurs in bursts, it might indicate
a denial of service attack in progress.
- Message: SSL0273I: Non-SSL request received on connection configured
for SSL
- Reason: A connection was received on an SSL port, but the data
received was not SSL, and looked like a normal non-SSL request.
- Solution: Verify that the port in question is intended to be configured
for SSL. Look for bad links to the page in question that should use https:,
but instead use http:.
- Message: SSL0273I: Non-SSL request received on connection configured
for SSL
- Reason: A connection was received on an SSL port, but the data
received was not SSL, and looked like a normal non-SSL request.
- Solution: Verify that the port in question is intended to be configured
for SSL. Look for bad links to the page in question that should use https:,
but instead use http:.
Message: SSL0276E: SSL: Unexpected SSL
client renegotiation detected, aborting SSL connection.
- Reason: SSL client renegotiation was attempted, but the configuration
does not allow SSL renegotiation. Thus, the SSL connection was stopped.
- Solution: Retry the connection between the client and the server.
Configure the connection to allow SSL renegotiation only if necessary.
Be aware of the risk. If proprietary clients require SSL renegotiation
to function, update them to establish new connections.