TLS Troubleshooting

If you encounter connection problems using the TLS connector, these are usually the result of configuration errors, such as invalid or missing connector options, missing or incorrectly-specified certificates, or mismatched shared keys.

TLS configuration options for TLS servers are verified at an early stage before creating listening ports. If an error is detected in the configuration syntax, the Uniface Router or exclusive server exits. This is the desired behavior, which ensures that no TLS clients can connect to an incorrectly configured TLS port.

If a connection fails, check the log files of the client application (such as UPOPMAIL), the Uniface Router and the Uniface Server, if one was started. To increase the verboseness of TLS errors, use /pri=64 on the command lines or $ioprint=64 in all the assignment files.

With pre-shared key authentication, the only problems you can have are a missing or mistyped shared_key in an assignment file. This can result in network connection errors.

The following is a list of error messages and their likely causes:

  • TLS: [-79] Invalid driver option, 'ConnectionProfile' not found in the [NET_SETTINGS] section of the assignment file.

    The specified TLS connection profile is not defined.

  • 'ConnectionProfile' or USYS$TLS_PARAMS does not define a shared key or a certificate

    The TLS connection profile or the default profile is missing the shared_key (for pre-shared key authentication), or certificate (verify_client and/or verify_server), or they are incorrectly defined.

  • SSL Error error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

    The CA root certificate that can verify the certificate is not present. The peer may not have the ca_certificate or ca_location options configured, or they do not point to the right CA certificate.

  • Certificate verification error 18: self signed certificate

    The self-signed certificate is not specified as the CA certificate in the peer that verifies the certificate. The peer may not have the ca_certificate configured, or it does not point to the right certificate.

  • SSL Error error:0906D06C:PEM routines:PEM_read_bio:no start line

    One of the following TLS connector options is incorrectly configured:

    • client_certificate
    • server_certificate
    • client_key
    • server_key

    For example, consider the following possibilities:

    • A key file is specified for server_certificate
    • A certificate is specified for server_key.
    • One or both of the certificate and key files have not been specified by the connector option.
    • The files are not in PEM format.
  • SSL Read : ret=5=SSL_ERROR_SYSCALL []
    Cannot continue, no TCPNet for TLS
    NETMSG 8061 - Network error detected ( (0)).
    Logon (TLS:complete|path|of|URouter) failed with status -16, Network error

    The Uniface Router has had a problem verifying a certificate and has refused the connection. Look in the Uniface Router log to find out why. The following error will be recorded:

    ERROR SSL handshake failed NETGET(Server Authenticating Client) An error has occurred verifying a certificate or common name.

    The actual error can be found in the line(s) before this one.

  • SSL Error error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac

    Occurs only with pre-shared key authentication. There is a mismatch between the pre-shared key of the TLS server and the client. The specified key may be different, or only one of them has it specified.

  • SSL Error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

    Occurs only with pre-shared key authentication. There is a mismatch between the pre-shared key of the TLS server and the client. The specified key may be different.

  • SSL Error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

    Indicates that the peer has refused the connection. Look at the log file of the peer, which will have the actual error. For example, the certificate could have expired or one of the other errors mentioned here could have occurred.

  • SSL Error error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

    Occurs when you have limited the ciphers that can be used with the cipher_list option, such that none of the specified ones are usable, or none of the specified ciphers are included in the cipher list of the peer. In that case, there is no cipher for the TLS driver to use.

  • SSL Error error:1408F10B:SSL routines:ssl3_get_record:wrong version number

    This is accompanied by the following error in the line before:

    NETERR_CONNECTION [-18]: TLS: [-10] Could not complete SSL handshake, (SSL: [1] SSL_ERROR_SSL OpenSSL error, (Client Authenticating Server) )

    Occurs when using the SMTP STARTTLS Security Driver and the TLS driver is specified as a protocol in the connection string to the SMTP server, for example:

    ; Specify the network connection string to the SMTP server
    vSmtpServer = "TLS:smtp.office365.com+587"

    The correct connection string should look like this, as can be seen in the code example in SMTP STARTTLS Security Driver:

    ; Specify the network connection string to the SMTP server 
    vSmtpServer = "smtp.office365.com+587"