IBM Support

SSL Handshake Failure for FTP

Troubleshooting


Problem

Attempting to use FTP/TLS, but the session fails with an 'EZA2897I Authentication negotiation failed' message after the AUTH TLS command. For some network configurations, this might occur only on connection attempts to certain servers.

Symptom

If debugging is enabled, the FTP Client trace shows:


    FCxxxx authServer: secure_socket_init failed with rc = 413 (Certificate signature is incorrect).
If a System SSL trace is enabled, it might show:
    EXIT gsk_verify_data_signature(): <--- Exit status 0x03353004 (53817348)
    ERROR gsk_verify_certificate_signature(): Unable to verify certificate signature: Error 0x03353004
    EXIT gsk_verify_certificate_signature(): <--- Exit status 0x03353004 (53817348)
    ERROR validate_certificate(): Unable to verify certificate signature: Error 0x03353004
    ERROR gsk_validate_certificate(): Unable to validate certificate: Error 0x03353004
    EXIT gsk_validate_certificate(): <--- Exit status 0x03353004 (53817348)
    ERROR read_v3_certificate(): Unable to validate peer certificate: Error 0x03353004
    ERROR send_v3_alert(): Sent SSL V3 alert 42 to xx.xx.xx.xx[21]
The messages associated with the certificate validation failure might vary, because the failure scenario is dependent on the certificate's contents.

Cause

Packets containing server's certificate have been altered in transit. The likely cause is an intermediate firewall from Check Point Software Technologies LTD with Telnet Option checking enabled for FTP sessions.

Diagnosing The Problem

Compare packet traces collected at both ends of the connection, or compare a copy of the server's public certificate with the one shown in the SSL trace (or contained in the packets). Examination will show that wherever a x'FF' appears in the original certificate, that byte and the next one will have a x'0A' value on arrival.

Resolving The Problem

Change the $FWDIR/lib/ftp.def file on the firewall system (make a backup copy first), to update the #define statement for FTP_CHECK_ARGS to remove the FTP_NO_TELNET_OPTIONS specification. For example:
   #define FTP_CHECK_ARGS (FTP_NO_CLIENT_227 | FTP_NO_TELNET_OPTIONS)
becomes
   #define FTP_CHECK_ARGS (FTP_NO_CLIENT_227)

Contact the vendor for alternative solutions.

[{"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.6;1.7;1.8;1.9;1.10;1.11;1.12;1.13;2.1;2.2;2.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Product":{"code":"SWG90","label":"z\/OS"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.10;1.11;1.12;1.13;1.6;1.7;1.8;1.9;2.1;2.2;2.3","Edition":"","Line of Business":{"code":"LOB56","label":"Z HW"}}]

Document Information

Modified date:
03 September 2021

UID

swg21402847

Page Feedback