search cancel

SSL_OPTION "XCOMU0780E Txpi  309: TxpiSSLConfig Option Failed"

book

Article ID: 258253

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Linux PC XCOM Data Transport - Windows XCOM Data Transport - z/OS

Issue/Introduction

Related to  the $XCOM_HOME/config/configssl.cnf file SSL_OPTION values:
[SSL_OPTION]
INITIATE_SIDE = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1
RECEIVE_SIDE  = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_SINGLE_DH_USE

What is the cause and impact of this type of error message seen from SSL loopback test in xcom.log file or perhaps just in an XCOM trace file (captured with xcom.glb parameter XTRACE=10):
XCOMU0780E Txpi  309: TxpiSSLConfig Option Failed msg = <SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1> value = 0:

Environment

Release : 11.6

Cause

The TxpiSSLConfig Option Failed message is due to a problem with XCOM not correctly interpreting the $XCOM_HOME/config/configssl.cnf file SSL_OPTION value SSL_OP_NO_TLSv1_1. A similar error also occurs when trying to use SSL_OPTION value SSL_OP_NO_TLSv1_2. (Cryptographic Protocols)

The error itself is non-fatal but if observed in the xcom.log file it means that there has been a later fatal SSL error that is causing the first non-fatal error to be logged in the xcom.log.
In that scenario the trace file will show this type of symptom where the non-fatal 309 error is followed by the fatal 308 error but only the 309 error will get logged in the xcom.log:
===
E - catoossl.c(7321): Analyzing SSL option value <SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1>
E - catoossl.c(7362): Found SSL option value 0x87598BFF, *popt_rc=1
E - catoossl.c(5831): Error 309
E - catoossl.c(5831): Txpi  309: TxpiSSLConfig Option Failed msg = <SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1> value = 0
...
...
E - catoossl.c(1799): Error 308
E - txpierr.c(179): Not setting dwReturnCode; old value: 309
E - catoossl.c(1799): Txpi  308: TxpiInitSSL Failed msg = <error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt> value = 0
E - catoossl.c(1799): TxpiSSLError: SSL file name = evp_enc.c, line nb: 681
E - catoossl.c(1800): client_ctx: SSL_CTX_use_PrivateKey certificateInitSide: </opt/CA/XCOM/ssl/certs/clientcert.pem>
E - catoossl.c(6731): txpiparms_free:
E - catoossl.c(1804): client_ctx: SSL_CTX_free successful.
E - catoossl.c(1806): client_ctx: SSL_library_term  successful.
E - catotxpi.c(985): TxpiInitClientSSL: client_ctx failed.
    lu62.c 9105: XattachTcp TxpiInitClientSSL failed.
    lu62.c 9549: Error 309 reason 0 processing Xalloc/TxpiInitClientSSL
.
    lu62.c 9551: Txpi  309: TxpiSSLConfig Option Failed msg = <SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1> value = 0
    xdump.c 792: Log_File = /opt/CA/XCOM/xcom.log
    
LOGGED >>> 2023/01/20 00:33:22 TID=000020 PRG=xcomtcp PID=3485 IP=127.0.0.1 PORT=8045;    XCOMU0780E Txpi  309: TxpiSSLConfig Option Failed msg = <SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1> value = 0: ;
...
...
===

Resolution

A fix will be released for this XCOM for Linux problem soon both for 11.6 and 12.0. See problem: 19475 (SSL OPTIONS NOT HONORED)
In the meantime the SSL_METHOD section of the $XCOM_HOME/config/configssl.cnf file can be used to specify the required SSL version.  The SSL_METHOD section takes precedence over the SSL_OPTION section when conflicting values are specified.