scottklement.com

I have an AS400 customer running RPG who has connection issues with our NGINX API server. He has no problems establishing an SSL connection with other servers (e.g. https://secure.shippingapis.com/) and I have examined those sites with the Qualys test site to see what ciphers they expose. When trying to contact our site https://api-sandbox.myibservices.com we see this error in the log: GSKit) No compatible cipher suite available between SSL end points.

1. The HTTPAPI log doesn't expose the cipher that is used to connect to the shippingapis site. Is there an option in the log to expose that?
2. The Qualys site shows the notation secp256r1 adjacent to many of the listed ciphers (referencing an elliptic curve algorithm). Our NGINX cipher list shows instead notations like x25519. Can anyone comment of the potential significance of this?
3. According to the IBM documentation for OS 7.1 here are the supported ciphers:

CipherSuiteNumber CipherSuiteName
----------------- ---------------
04 RSA_RC4_128_MD5
05 RSA_RC4_128_SHA
0A RSA_3DES_EDE_CBC_SHA
2F RSA_AES_128_CBC_SHA
35 RSA_AES_256_CBC_SHA
3C RSA_AES_128_CBC_SHA256
3D RSA_AES_256_CBC_SHA256

The customer reported this following ciphers on his machine (more and a different list). Is this possible or should we depend on the IBM documented ciphers? (This is the reason for question #1)

10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC2_CBC_40_MD5
80 *RSA_NULL_SHA256
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5

TIA for any help provided!!

Problem solved.

Adding these two OpenSSL ciphers to the NGINX configuration allowed for a successful connection:

AES256-SHA which translates to TLS_RSA_WITH_AES_256_CBC_SHA
AES128-SHA which translates to TLS_RSA_WITH_AES_128_CBC_SHA

You can also control the elliptic curve cipher used so that secp256r1 is prefered. Our configuration had 'any'. I'm not sure this setting had anything to do with the connectivity problem. And since the ciphers that worked didn't involve elliptic curves, the issue was moot.

Hope this helps someone down the line...

Glad you found the problem - but it may just be the beginning of similar issues for your customer.

Their OS is too old (it came out 12 years ago and support ended 5 years ago) as a result IBM do not update the software. Ciphers required by many web services are just not available at 7.1 and never will be. If they want to do "modern" stuff they really need to update.