SSL return codes
The topic lists the system Secure Sockets Layer (SSL) return codes for the most common problems that might occur during SSL initialization or SSL handshake.
You need to do these steps before using the following return code tables:
- You need to find the SSL return code in the QTVTELNET job log.
- In some cases, you need to work with the Digital Certificate Manager (DCM) configuration to correct problems with certificate authority (CA) certificates or system certificates.
- When you copy the CA certificate information for your Telnet SSL client, remember to include the lines containing the words BEGIN CERTIFICATE and END CERTIFICATE.
| Return code | Description |
|---|---|
| -2 | No system certificate is available for SSL processing.
The Telnet server successfully initializes SSL, but the SSL handshake
fails. There is no signon panel in the SSL Telnet client window. The
QIBM_QTV_TELNET_SERVER application does not have an assigned system
certificate. View the system certificate and check that the value Yes shows in the Certificate assigned column. If the value is No, create a system certificate for the QIBM_QTV_TELNET_SERVER application. |
| -4 | The CA certificate or system certificate is bad.
The system certificate is not private or trusted. The Private Key
and Trusted fields on the server certificate are not correct. The
Telnet SSL client window has no signon panel. Add CA information in your Telnet SSL client. If you are using IBM® i Access for Windows as your Telnet SSL client, see Manage public Internet certificates for SSL communication sessions. Otherwise, see Obtain a copy of the private CA certificate for instructions. |
| -16 | The peer system is not recognized. This
problem is the most common problem when a Telnet SSL client first
attempts to establish an SSL session. The Telnet SSL client window
has no sign-on panel. Add CA certificate information to your Telnet SSL client. |
| -18 | The system certificate is self-signed and server
is using it as a CA certificate. The system certificate assigned
to the QIBM_QTV_TELNET_SERVER application must be trusted, signed
by a certificate authority, and used within the valid time period.
You need to create a CA certificate and associate it with the system
certificate. The Telnet server does not initialize SSL if the system
certificate is incorrect. Create a CA certificate and associate it with the system certificate. |
| -23 | The system certificate is not signed by a trusted
certificate authority. The system certificate assigned
to the QIBM_QTV_TELNET_SERVER application must be trusted, signed
by a certificate authority, and used within the valid time period. Change the CA certificate to Trusted. For instructions, see Manage applications in DCM. |
| -24 | The valid time period of the CA certificate has
expired. You are using an out-of-date certificate. The
Telnet SSL client window has no sign-on panel. Renew the CA certificate that was used to build the system certificate. |
| -93 | SSL is not available for use. Telnet
SSL clients cannot connect to a host because there is no active SSL
listener. Install software requirements to support Telnet SSL and to manage certificates. For instructions, see Check system status. |
Other SSL return codes
For the SSL return codes in the following table, use DCM to verify that the digital certificates meet these requirements:
- The CA certificate is valid and has not expired.
- The Telnet server application QIBM_QTV_TELNET_SERVER has a value of Yes in the Certificate Assigned column.
- A certificate authority signs the system certificate.
- The system certificate is trusted.
- The system certificate is used within the timeframe stated on the certificate.
| Return code | Description |
|---|---|
| -1 | No ciphers are available or specified |
| -6 | IBM i operating system does not support the certificate type |
| -10 | An error occurred in SSL processing. In the job log, check the CPExxxx message where xxxx is the sockets error value |
| -11 | SSL received a badly formatted message |
| -12 | A bad message authentication code was received |
| -13 | Operation is not supported by SSL |
| -14 | The certificate signature is not valid |
| -15 | The certificate is bad |
| -17 | Permission was denied to access object |
| -20 | Unable to allocate storage required for SSL processing |
| -21 | SSL detected a bad state in the SSL session |
| -22 | The socket used by the SSL connection has been closed |
| -25 | The date in the certificate is in a bad format |
| -26 | The key length is bad for export |
| -90 | Not a key ring file |
| -91 | The password in the key database has expired |
| -92 | Certificate is not valid or is rejected by the exit program |
| -94 | SSL_Init() was not previously invoked for the job |
| -95 | There is no key ring for SSL initialization The *SYSTEM certificate store must exist; the certificate store can be created with DCM. |
| -96 | SSL is not enabled |
| -97 | The specified cipher suite is not valid |
| -98 | The SSL session ended |
| -99 | An unknown or unexpected error occurred during SSL processing |
| -1010 | Double encryption is not allowed when using AC2 and IP-SEC |