SSL handshake messages
This topic contains error messages that might result due to SSL handshake failures and provides solutions to help you troubleshoot these problems.
The following messages display due to handshake failures:
- SSL0200E: Handshake Failed, <code>.
- Reason: The handshake failed when the SSL library returned an unknown error.
- Solution: Report this problem to IBM Support.
- SSL0201E: Handshake Failed, Internal error - Bad handle.
- Reason: An internal error has occurred.
- Solution: Report this problem to IBM Support.
- SSL0202E: Handshake Failed, The GSK library unloaded.
- Reason: A call to the GSKit function failed because the dynamic link library unloaded (Windows operating systems only).
- Solution: Shut down the server and restart.
- SSL0203E: Handshake Failed, GSK internal error.
- Reason: The communication between client and the server failed due to an error in the GSKit library.
- Solution: Retry connection from the client. If the error continues, report the problem to IBM Support.
- SSL0204E: Handshake Failed, Internal memory allocation failure.
- Reason: The server could not allocate memory needed to complete the operation.
- Solution: Take action to free up some additional memory. Try reducing the number of threads or processes running, or increasing virtual memory.
- SSL0205E: Handshake Failed, GSK handle is in an invalid state for operation.
- Reason: The SSL state for the connection is invalid.
- Solution: Retry connection from the client. If the error continues, report the problem to IBM Support.
- SSL0206E: Handshake Failed, Key-file label not found
- Reason: The label specified for the SSLServerCert directive was not found in the key database (KDB) file specified for the KeyFile directive.
- Solution: Specify a value for the SSLServerCert directive that corresponds to a personal certificate available in the KDB file specified for the KeyFile directive
- SSL0207E: Handshake Failed, Certificate is not available.
- Reason: The client did not send a certificate.
- Solution: Set client authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending an acceptable certificate.
- SSL0208E: Handshake Failed, Certificate validation error.
- Reason: The received certificate failed one of the validation checks.
- Solution: Use another certificate. Contact IBM Support to determine why the certificate failed validation.
- SSL0209E: Handshake Failed, ERROR processing cryptography.
- Reason: A cryptography error occurred.
- Solution: None. If the problem continues, report it to IBM Support.
- SSL0210E: Handshake Failed, ERROR validating ASN fields in certificate.
- Reason: The server was not able to validate one of the ASN fields in the certificate.
- Solution: Try another certificate.
- SSL0211E: Handshake Failed, ERROR connecting to LDAP server.
- Reason: The Web server failed to connect to the CRL LDAP server.
- Solution: Verify that the values entered for the SSLCRLHostname and SSLCRLPort directives are correct. If access to the CRL LDAP server requires authentication, is the SSLCRLUserID directive coded and was the password added to the stash file pointed to by the SSLStashfile directive.
- SSL0212E: Handshake Failed, Internal unknown error.
- Reason: An unknown error has occurred in the SSL library.
- Solution: Report the problem to IBM Support.
- SSL0213E: Handshake Failed, Open failed due to cipher error.
- Reason: An unknown error has occurred in the SSL library.
- Solution: Report the problem to IBM Support.
- SSL0214E: Handshake Failed, I/O error reading key file.
- Reason: The server could not read the key database file.
- Solution: Check file access permissions and verify the Web server user ID is allowed access.
- SSL0215E: Handshake Failed, Key file has an invalid internal format. Recreate key file.
- Reason: Key file has an invalid format.
- Solution: Recreate key file.
- SSL0216E: Handshake Failed, Key file has two entries with the same key. Use IKEYMAN to
remove the duplicate key.
- Reason: Two identical keys exist in key file.
- Solution: Use IKEYMAN to remove duplicate key.
- SSL0217E: Handshake Failed, Key file has two entries with the same label. Use IKEYMAN to
remove the duplicate label.
- Reason: A second certificate with the same label was placed in the key database file.
- Solution: Use IKEYMAN to remove duplicate label.
- SSL0218E: Handshake failed, Either the key file has become corrupted or the password is
incorrect.
- Reason: The key file password is used as an integrity check and the test failed. Either the key database file is corrupted, or the password is incorrect.
- Solution: Use IKEYMAN to stash the key database file password again. If that fails, recreate the key database.
- SSL0219E: SSL Handshake Failed, Either the default key in the keyfile has an expired
certificate or the keyfile password expired. Use iKeyman to renew or remove certificates that are
expired or to set a new keyfile password.
- Reason: Either the default key in the keyfile has an expired certificate or the keyfile password expired.
- Solution: Use iKeyman to renew or remove certificates that are expired or to set a new keyfile password.
- SSL0220E: Handshake Failed, There was an error loading one of the GSKdynamic link
libraries. Be sure GSK was installed correctly.
- Reason: Opening the SSL environment resulted in an error because one of the GSKdynamic link libraries could not load.
- Solution: Contact Support to make sure the GSKit is installed correctly.
- SSL0221E: Handshake Failed, Either the certificate has expired or the system clock is
incorrect.
- Reason: Either the certificate expired or the system clock is incorrect.
- Solution: Use the key management utility (iKeyman) to recreate or renew your server certificate or change the system date to a valid date.
- SSL0222W: Handshake failed, no ciphers specified.
- Reason: SSLV2 and SSLV3 are disabled.
- Solution: None. Report this problem to IBM Support.
- SSL0223E: Handshake Failed, No certificate.
- Reason: The client did not send a certificate.
We can also see this message when your keyfile does not have a default certificate specified and you have not specified an SSLServerCert directive. It will pass initialization but fail at connection (handshake) time.
- Solution: Set client authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending a certificate.
- Reason: The client did not send a certificate.
- SSL0224E: Handshake failed, Invalid or improperly formatted certificate.
- Reason: The client did not specify a valid certificate.
- Solution: Client problem.
- SSL0225E: Handshake Failed, Unsupported certificate type.
- Reason: The certificate type received from the client is not supported by this version of IBM HTTP Server SSL.
- Solution: The client must use a different certificate type.
- SSL0226I: Handshake Failed, I/O error during handshake.
- Reason: The communication between the client and the server failed. This is a common error when the client closes the connection before the handshake has completed.
- Solution: Retry the connection from the client.
- SSL0227E: Handshake Failed, Specified label could not be found in the key file.
- Reason: Specified key label is not present in key file.
- Solution: Check that the SSLServerCert directive is correct, if coded, and that the label is valid for one of the keys in the key database.
- SSL0228E: Handshake Failed, Invalid password for key file.
- Reason: The password retrieved from the stash file could not open the key database file.
- Solution: Use IKEYMAN to open the key database file and recreate the password stash file. This problem can also result from a corrupted key database file. Creating a new key database file may resolve the problem.
- SSL0229E: Handshake Failed, Invalid key length for export.
- Reason: In a restricted cryptography environment, the key size is too long to be supported.
- Solution: Select a certificate with a shorter key.
- SSL0230I: Handshake Failed, An incorrectly formatted SSL message was received.
- SSL0231W: Handshake Failed, Could not verify MAC.
- Reason: The communication between the client and the server failed.
- Solution: Retry the connection from the client.
- SSL0232W: Handshake Failed, Unsupported SSL protocol or unsupported certificate
type.
- Reason: The communication between the client and the server failed because the client is trying to use a protocol or certificate which the IBM HTTP Server does not support.
- Solution: Retry the connection from the client using an SSL Version 2 or 3, or TLS 1 protocol. Try another certificate.
- SSL0233W: Handshake Failed, Invalid certificate signature.
- SSL0234W: Handshake Failed, The certificate sent by the peer expired or is
invalid.
- Reason: The partner did not specify a valid certificate. The server is acting as a reverse proxy
to an SSL URL and the _server_ cert could not be validated.
Either the local certificate or the peer certificate is not valid. For a certificate to be valid, the complete certificate chain must be present in the key database file, the System Authorization Facility (SAF) key ring, or the Public Key Cryptography Standards (PKCS) #11 token.
- Solution: Partner problem. If this occurs during an SSL Proxy connection, the remote SSL server
sent a bad certificate to IBM HTTP Server. Check the certificate and certificate authority chain at the other end of the
SSL connection. For more information, see Secure with SSL communications.
Verify that the certificate in the certificate chain is marked trusted. Ensure that the communication partner sends a valid certificate. If you use RACF® key rings and the DIGTCERT and DIGTRING classes are listed in the RACLIST operand, issue the SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH command. This command refreshes the profiles to ensure that the latest changes are available. If the error persists, see the problem determination information on the following WebSphere® Application Server Support web page: http://www.ibm.com/software/webservers/appserv/was/support.
- Reason: The partner did not specify a valid certificate. The server is acting as a reverse proxy
to an SSL URL and the _server_ cert could not be validated.
- SSL0235W: Handshake Failed, Invalid peer.
- SSL0236W: Handshake Failed, Permission denied.
- SSL0237W: Handshake Failed, The self-signed certificate is not valid.
- SSL0238E: Handshake Failed, Internal error - read failed.
- Reason: The read failed.
- Solution: None. Report this error to IBM Support.
- SSL0239E: Handshake Failed, Internal error - write failed.
- Reason: The write failed.
- Solution: None. Report this error to IBM Support.
- SSL0240I: Handshake Failed, Socket has been closed.
- Reason: The client closed the socket before the protocol completed.
- Solution: Retry connection between client and server.
- SSL0241E: Handshake Failed, Invalid SSLV2 Cipher Spec.
- Reason: The SSL Version 2 cipher specifications passed into the handshake were invalid.
- Solution: Change the specified Version 2 cipher specs.
- Message: SSL0242E: Handshake Failed, Invalid SSLV3 Cipher Spec.
- Reason: The SSL Version 3 cipher specifications passed into the handshake were invalid.
- Solution: Change the specified Version 3 cipher specs.
- SSL0243E: Handshake Failed, Invalid security type.
- Reason: There was an internal error in the SSL library.
- Solution: Retry the connection from the client. If the error continues, report the problem to IBM Support.
- SSL0245E: Handshake Failed, Internal error - SSL Handle creation failure.
- Reason: There was an internal error in the security libraries.
- Solution: None. Report this problem to IBM Support.
- SSL0246E: Handshake Failed, Internal error - GSK initialization has failed.
- Reason: An error in the security library has caused SSL initialization to fail.
- Solution: None. Report this problem to IBM Support.
- SSL0247E: Handshake Failed, LDAP server not available.
- Reason: Unable to access the specified LDAP directory when validating a certificate.
- Solution: Check that the SSLCRLHostname and SSLCRLPort directives are correct. Make sure the LDAP server is available.
- SSL0248E: Handshake Failed, The specified key did not contain a private key.
- Reason: The key does not contain a private key.
- Solution: Create a new key. If this was an imported key, include the private key when doing the export.
- SSL0249E: Handshake Failed, A failed attempt was made to load the specified PKCS#11
shared library.
- Reason: An error occurred while loading the PKCS#11 shared library.
- Solution: Verify that the PKCS#11 shared library specified in the SSLPKCSDriver directive is valid.
- SSL0250E: Handshake Failed, The PKCS#11 driver failed to find the token label specified
by the caller.
- Reason: The specified token was not found on the PKCS#11 device.
- Solution: Check that the token label specified on the SSLServerCert directive is valid for your device.
- SSL0251E: Handshake Failed, A PKCS#11 token is not present for the slot.
- Reason: The PKCS#11 device has not been initialized correctly.
- Solution: Specify a valid slot for the PKCS#11 token or initialize the device.
- Message: SSL0252E: Handshake Failed, The password/pin to access the PKCS#11 token is
either not present, or invalid.
- Reason: Specified user password and pin for PKCS#11 token is not present or invalid.
- Solution: Check that the correct password was stashed using the SSLStash utility and that the SSLStashfile directive is correct.
- SSL0253E: Handshake Failed, The SSL header received was not a properly SSLV2 formatted
header.
- Reason: The data received during the handshake does not conform to the SSLV2 protocol.
- Solution: Retry connection between client and server. Verify that the client is using HTTPS.
- SSL0254E: Internal error - I/O failed, buffer size invalid.
- Reason: The buffer size in the call to the I/O function is zero or negative.
- Solution: None. Report this problem to IBM Support.
- SSL0255E: Handshake Failed, Operation would block.
- Reason: The I/O failed because the socket is in non-blocking mode.
- Solution: None. Report this problem to IBM Support.
- SSL0256E: Internal error - SSLV3 is required for reset_cipher, and the connection uses
SSLV2.
- Reason: A reset_cipher function was attempted on an SSLV2 connection.
- Solution: None. Report this problem to IBM Support.
- SSL0257E: Internal error - An invalid ID was specified for the gsk_secure_soc_misc
function call.
- Reason: An invalid value was passed to the gsk_secure_soc_misc function.
- Solution: None. Report this problem to IBM Support.
- SSL0258E: Handshake Failed, The function call, <function>,
has an invalid ID.
- Reason: An invalid function ID was passed to the specified function.
- Solution: None. Report this problem to IBM Support.
- SSL0259E: Handshake Failed, Internal error - The attribute has a negative length in:
<function>.
- Reason: The length value passed to the function is negative, which is invalid.
- Solution: None. Report this problem to IBM Support.
- SSL0260E: Handshake Failed, The enumeration value is invalid for the specified
enumeration type in: <function>.
- Reason: The function call contains an invalid function ID.
- Solution: None. Report this problem to IBM Support.
- SSL0261E: Handshake Failed, The SID cache is invalid:
<function>.
- Reason: The function call contains an invalid parameter list for replacing the SID cache routines.
- Solution: None. Report this problem to IBM Support.
- SSL0262E: Handshake Failed, The attribute has an invalid numeric value:
<function>.
- Reason: The function call contains an invalid value for the attribute being set.
- Solution: None. Report this problem to IBM Support.
- SSL0263W: SSL Connection attempted when SSL did not initialize.
- Reason: A connection was received on an SSL-enabled virtual host but it could not be completed because there was an error during SSL initialization.
- Solution: Check for an error message during startup and correct that problem.
- SSL0264E: Failure obtaining Cert data for label <certificate>.
- Reason: A GSKit error prevented the server certificate information from being retrieved.
- Solution: Check for a previous error message with additional information.
- SSL0265W: Client did not supply a certificate.
- Reason: A client who connected failed to send a client certificate and the server is configured to require a certificate.
- Solution: Nothing on the server side.
- SSL0266E: Handshake failed.
- Reason: Could not establish SSL proxy connection.
- Solution: IBM HTTP Server could not establish a proxy connection to a remote server using SSL.
- SSL0267E: SSL Handshake failed.
- Reason: Timeout on network operation during handshake.
- Solution: Check client connectivity, adjust TimeOuts.
- SSL0270I: SSL Handshake Failed, Timeout (dd seconds) occurred before any data
received.
- Reason: A connection was received on an SSL port, but no data was received from the client before the timeout expired.
- Solution: If the timeout (set by the Timeout directive) has been reduced from the default value, verify that it is reasonable. If the message occurs intermittently, it is probably normal, due to things like users cancelling page loads and browser or system crashes. If the message occurs in bursts, it might indicate a denial of service attack in progress.
- SSL0271I: SSL Handshake Failed, client closed connection without sending any
data.
- Reason: A connection was received on an SSL port, but the client closed the connection without beginning the handshake.
- Solution: If the timeout (set by the Timeout directive) has been reduced from the default value, verify that it is reasonable. If the message occurs intermittently, it is probably normal, due to things like users cancelling page loads and browser or system crashes. If the message occurs in bursts, it might indicate a denial of service attack in progress.
- SSL0272I: SSL Handshake Failed, I/O error before any data received.
- Reason: A connection was received on an SSL port, but a network error broke the connection before any data was received from the client.
- Solution: If the message occurs intermittently, it is probably normal, due to things like users cancelling page loads and browser or system crashes. If the message occurs in bursts, it might indicate a denial of service attack in progress.
- SSL0273I: Non-SSL request received on connection configured for SSL
- Reason: A connection was received on an SSL port, but the data received was not SSL, and looked like a normal non-SSL request.
- Solution: Verify that the port in question is intended to be configured for SSL. Look for bad links to the page in question that should use https:, but instead use http:.
- SSL0275E: Revocation status could not be determined for client certificate: %s
- Reason: The server was configured to check an external revocation source, such as OCSP or CRL, and the external revocation source failed.
- Solution: Verify that the revocation source is functioning.
- SSL0276E: SSL Handshake Failed, peer did not support extended SSL
renegotiation.
- Reason: Extended (secure) renegotiation was enabled with SSLRequireExtendedRenegotiation but the client did not support extended renegotiation.
- Solution: Upgrade the affected clients or disable SSLRequireExtendedRenegotiation.
- SSL0277E: SSL Handshake Failed, ICSF is not available. ECDHE and TLS1.2 SHA-2 ciphers
require ICSF.
- Reason: The negotiated encryption requires the use of ICSF services and ICSF is either not started or not permitted for the webservers userid.
- Solution: Configure the ICSF started task and allow access to the CSFSRV resources, or disable ECDHE and AES-GCM based ciphers.
- SSL0278E: SSL Handshake Failed, ICSF error. Review 'RACF CSFSERV Resource Requirements'
of the z/OS documentation.
- Reason: The webservers userid does not have access to CSFSERV resource classes required for SSL.
- Solution: Configure the ICSF started task and allow access to the CSFSRV resources, or disable ECDHE and AES-GCM based ciphers.
- SSL0279E: SSL Handshake Failed due to fatal alert from client. Client sent %s alert
[level %d (%s), description %d (%s)]
- Reason: During the SSL handshake, the remote client sent a fatal alert instead of completing the handshake.
- Solution: Review the alert level and type in investigate the client software.
- SSL0280E: SSL Handshake Failed due to fatal alert from client. Client sent %s alert
[level %d (%s), description %d (%s)]
- Reason: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signagure Algorithm requirements.
- Solution: In TLS1.2 and later, clients can specify a list of acceptable signature algorithms. This error occurs when the servers configured certificate does not overlap with any of the clients acceptable signature algorithms
Related