Extra! X-treme 9.x cannot connect TLS to IBM i V7R4

  • 7024631
  • 15-May-2020
  • 03-Jun-2020

Environment

Extra X-treme 9.5 and earlier
IBM i (iSeries or AS/400) V7R4

Situation

When attempting to connect with TLS 1.2 to an IBM i with Extra! X-treme 9.5 or earlier the session fails to connect with a "Connect error".

Examination of the a network trace indicates the host is sending a TLS alert fatal handshake failure (40) to the Client Hello.

Resolution

The acceptable cipher list defined on the IBM i needs to include a cipher that Extra! X-treme sends in the Client Hello.  This is defined by the IBM i administrator.

As of this writing, the settings in the Navigator for i and the CLI SYSVALs of QSSLCSLCTL and QSSLCSL, in regards to the cipher lists, have to be configured the same.  Both Navigator for i and the CLI have to be changed to user defined and the cipher lists have to match.  Also, the telnet server has to be stopped and restarted.  The help says the settings are accepted immediately, but testing has shown the server requires a restart.

Cause

The default (*OPSYS) cipher list is incompatible with Extra! X-treme 9.5. Starting with V7R4, the IBM i has stronger ciphers defined by default; Extra! and the IBM i cannot agree on a cipher to use.

Status

Reported to Engineering

Additional Information

Reflection Desktop 16.2 works; if the ciphers on the IBM i cannot be changed, Reflection Desktop 16.2 is an alternate choice.

This is scheduled to be fixed in Extra! X-treme 9.6.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.