IBM-i Client Connection to webserver: handshake problem, connection reset at webserver

asdf13
asdf13 used Ask the Experts™
on
HTTPAPI_debug.txtWS HTTP API(library LIBHTTP).
IBM-i Client Connection to Webserver: handshake problem.  
Immediatelly after clientHello, the  server resets  connection.

ibm-i Joblog messages .
   Message . . . . :   (GSKit) An operation which is not valid for the current
     SSL session state was attempted.                                          
   Cause . . . . . :   No additional online help information is available.    
 40   18/01/19  15:36:49.874491  HTTPAPIR4    LIBHTTP     *STMT    RSUCISLO2  
   From module . . . . . . . . :   HTTPUTILR4                                  
   From procedure  . . . . . . :   HTTP_CRASH                                  Handshakke-problem-from-7_3-LPAR.docx
   Statement . . . . . . . . . :   4068                                        
   Message . . . . :   SSL Handshake: (GSKit) I/O: A connection with a remote  
     socket was reset by that

TLS-Version.PNG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
VP Technology / Senior Consultant
Commented:
Is there a firewall between you and the endpoint you're trying to connect to?  If so, connection may be blocked.  Are you connecting to the correct port?

https://www-01.ibm.com/support/docview.wss?uid=nas8N1021098

Need more help?  Please provide more info, like a more complete job log, without cut-off messages and MSGIDs, and basic info about where you are connecting from, and to.  If you are connecting to a public API of some sort, provide basic connectivity info: IP/FQDN, port, description of service (no credentials, of course).
David FavorFractional CTO
Distinguished Expert 2018

Commented:
If this is a public site, post the URL for testing.

If not, you'll have to connect to your site using the openssl client to test your connection.

Keep in mind, if the site throwing the error is running very old SSL/TLS, then new clients simply won't be able to connect.

Best will be for you post a clickable URL to your site for testing.

Author

Commented:
additional Info added (embedded files in Question) . . .
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Gary PattersonVP Technology / Senior Consultant

Commented:
Looks like you are running an old version of HTTPAPI.  Suggest you update to the latest.  

QSSLPCL special value of *OPSYS means something different in V7R1 and V7R3.  You say you are using TLS 1.2, but

*OPSYS on V7R1 means *TLSV1 and *SSLV3 protocols are enabled.
*OPSYS on V7R3 means *TLSV1.2 *TLSV1.1 and *TLSV1.

You don't provide any information about the target system - need to make sure you are connecting with compatible protocol.

Is this just an HTTPAPI issue, or can you connect with cURL, for example?

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020876

Author

Commented:
TLS Version info added.
Try to get more  info regarding webserver later . . .

Author

Commented:
Hello,
Reason for failing handshake was found on webserver side : problem  was invalid certificate.
Sorry,  i had no Information about webserver, which  is outside of my responsibility ("third party")

Thanks for your advices.
Gary PattersonVP Technology / Senior Consultant

Commented:
For future reference, you should probably try to connect to the site first manually: you can use command line tools like openssl, curl, and wget (from IBM i or Windows or Linux).  I also suggest using using a tool like Postman or SoapUI to test and experiment with web service connections and make you you understand the request and response formats before you try to write and test code.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
For fastest (and 100% correct) answers, post your actual URL for testing.

Also follow Gary's suggestion of testing with command line tools first.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
After you update your cert, use https://www.ssllabs.com/ssltest/ to ensure your entire SSL config is correct.

Tip: Testing/Knowing is always better than guessing.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial