Environment
Extra X-treme 9.5 and earlier
IBM i (iSeries or AS/400) V7R4
Situation
When attempting to connect with TLS 1.2 to an IBM i with Extra! X-treme 9.5 or earlier the session fails to connect with a "Connect error".
Examination of the a network trace indicates the host is sending a TLS alert fatal handshake failure (40) to the Client Hello.
Resolution
The acceptable cipher list defined on the IBM i needs to include a cipher that Extra! X-treme sends in the Client Hello. This is defined by the IBM i administrator.
As of this writing, the settings in the Navigator for i and the CLI SYSVALs of QSSLCSLCTL and QSSLCSL, in regards to the cipher lists, have to be configured the same. Both Navigator for i and the CLI have to be changed to user defined and the cipher lists have to match. Also, the telnet server has to be stopped and restarted. The help says the settings are accepted immediately, but testing has shown the server requires a restart.
Cause
The default (*OPSYS) cipher list is incompatible with Extra! X-treme 9.5. Starting with V7R4, the IBM i has stronger ciphers defined by default; Extra! and the IBM i cannot agree on a cipher to use.
Status
Reported to EngineeringAdditional Information
Reflection Desktop 16.2 works; if the ciphers on the IBM i cannot be changed, Reflection Desktop 16.2 is an alternate choice.
This is scheduled to be fixed in Extra! X-treme 9.6.