Troubleshoot security errors

This section describes security related errors and troubleshooting tips.

Handshake errors

Handshake error due to large certificate request

The TLS_ERR_FRAGMENT_CONSISTANCY message occurs during mutual authentication when the server sends a large number of CA in a certificate request. For example, the client sends a frame "Client_Hello" to initiate a new SSL session, but the Transfer CFT client cannot handle the reply from the server because it exceeds the RRUSIZE.

To troubleshoot:

  1. Check the s/rrusize on the local Transfer CFT and set to the maximum value (32750).
  2. Check on the remote server the number of trusted CA to be sent, and reduce if possible.

No matching client certificate for SSL server

The customer receives a "certificate_request" type message, but it is empty. Transfer CFT cannot correctly respond to this message, and an error is generated.

Client side

In the catalog a 260 PKI 040 diagnostic displays, and in the log a message similar to the following is displayed:

CFTY13E CTX=200006 SSL Handshake local error [HANDSHAKE_FAILURE] CR=40 (Handshake failure)

CFTH11E Error Opening session <PART=HPX18SSL EV=VVTIMO ST=SUP01>

CFTT75E connect reject <IDTU=A00000BL PART=HPX18SSL IDF=SSL IDT=A2217045 260 PKI 040>

Server side

No diagnostic displays in catalog, but in the log a message similar to the following:

CFTY13E CTX=200006 SSL Handshake local error [HANDSHAKE_FAILURE] CR=40 (Handshake failure)

When using mutual authentication, the client does not have a certificate to provide to the remote SSL server . For example, the client has no user certificate corresponding to one of the CAs provided by the server.

Tip   Analyze the situation on the partner side and correct depending on the server.

Incorrect certificate format

In this log excerpt, there is an error "CR = 40" corresponding to a failure during the handshake phase.

This error may be related to the mode of insertion of client certificate, which is PEM format and not a certificate in DER.

CFTR12I RECV Treated for USER admin <IDTU=A00002EN PART=SEID IDF=D_615M>

Session parameters CFTT13I <IDTU=A00002EN PART=SEID IDF=D_615M IDT=J0615002 _ PROT=PROTSSL1 SAP=6335 HOST= 212.11.19.28>

CFTY19I PART = SEID = SSL Client SSLPROT1 opening session CTX = 20000c on task PID = 82928

CTX = 20000c CFTY21I Remote Server Certificate Accepted rootID = ROOTSEID

CTX = 20000c CFTY23I Client certificate ID = MUTESTCA rootID = ROOTSEID

CTX = 20000c CFTY13E SSL Handshake local error [HANDSHAKE_FAILURE] CR = 40

CFTH11E Error Opening session <PART=SEID EV=VVTIMO ST=SUP01>

CFTT75E connect reject <IDTU=A00002EN PART=SEID IDF=D_615M IDT=J0615002 260 TLSDOWN>

Tip   A conversion of the certificate format is required.

No private key

This failure occurs during the handshake phase, and is related to using a user certificate that does not include the private key needed for encryption.

PART ARVAL CFTY19I = SSL = SSL_ARVAL customer opening session on task CTX = 200003 pid = 23630

CFTY21I CTX = 200003 Remote Server Certificate Accepted rootID = VERISIGNROOT

CFTY13E CTX = 200003 SSL Handshake local error [HANDSHAKE_FAILURE] CR = 40

CFTH11E Error Opening session <PART=ARVAL EV=VVTIMO ST=SUP01>

CFTT75E connect reject <IDTU=A000001R PART=ARVAL IDF=GEDTEST IDT=D2015423 260 TLSDOWN>

Requester CFTT56I file closed <IDTU=A000001R PART=ARVAL IDF=GEDTEST IDT=D2015423>

Requester CFTT54I file deselected <IDTU=A000001R PART=ARVAL IDF=GEDTEST IDT=D2015423>

Tip   Insert the user certificate’s private key in the PKI based.

General errors

Protocol is not correctly configured

In this scenario, Transfer CFT is trying to connect with a remote partner that is not configured for SSL. Check that the partner "SAP" in your configuration (PORT TCP) matches that of the remote SSL protocol.

In client mode if you have a combination of errors similar to the following, check that the remote partner is correctly configured for SSL.

CFTH11E PART1 PART = Error Opening session VNRELI EV = ST = SUP01

CFTT75E PART1 PART = IDF = TEST IDT connect reject = 260

CFTY11I CTX = 100003 PART1 PART = SSL = SSLPART1 Closing SSL client session

Insufficient security

In this scenario, two Transfer CFT’s have no cipher suite in common. The cipher suite to be used during the transfer is negotiated in the 'Client_hello' and 'Server_hello' frames. The server found no correspondence between the options presented and what is set on its side, so it returns an error.

Client side

CFTY13E CTX = 100003 SSL Handshake local error [INSUFFICIENT_SECURITY] CR = 71

Server side

CFTY13E CTX = 110004 SSL Handshake local error [close_notify] CR = 0

Check the 'ciphlist' setting in your definition CFTSSL.

Unknown server certificate

In this scenario, the client does not recognize or accept the server's certificate (the server must be authenticated).

CTX = 2100e9 CFTY25I HOST = remote address 172.31.250.35

CTX = 2100e9 CFTY24I Server certificate ID = XMCA rootID = XMCA

CTX = 2100e9 CFTY13E SSL Handshake local error [UNKNOWN_CA] CR = 48

CTX = 2000e8 CFTY11I PART = SSL = GEM SSLG Closing SSL client session

PART CFTH61I GEM = IDS = 00232 PESIT Requester closed session

Check that the chain of authority from the server (ROOT certificate or intermediate) was inserted in the core PKI.

TLS V1 and SSL V3 compatibility issues

It is recommended that you set the server to use TLSV1COMP. However, in Transfer CFT you cannot manually set the specific TLS version. If you set the CFTSSL object VERSION parameter to TLSV1 or TLSV1COMP, in client mode Transfer CFT introduces itself in TLS 1.2. The SSL communication is then performed using highest TLS version supported by the remote partner as defined by the TLS RFC.

When Transfer CFT is the client there are two possible scenarios that may lead to errors. When Transfer CFT is the server, it negotiates the TLS version and so no issue occurs.

If the client is configured for new compatibility mode and server is using the old, or the reverse, the log messages resemble the following.

CFTY13E CTX=200008 SSL Handshake local error [TLSPARSE] CR=1 (SSL_ERROR_ZERO_RETURN(6): NULL(err=0))

CFTH11E Error Opening session <PART=ST_QAPS EV=VVTIMO ST=CN0022>

CFTT75E connect reject <IDTU=A0000009 PART=ST_QAPS IDF=ST_QA_AP IDT=A2716390 260 TLSPARSE>

A message similar to the following is displayed in the catalog:

ST_QAPS SFK TK ST_QA_AP A2716390 0 0 260 TLSPARSE

Related Links