Signature algorithm not in signature algorithm pairs list

Document ID : KB000008608
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We have recently implemented the CA-CCI maintenance in support of TLS 1.2. 

The maintenance is currently on several sand-boxes, we have the problem with test system and all its updated connections. 

Note that SWER connects to all non-updated systems fine. 

This on SWER for all updated systems: 

CAS9899E Task 18 Error: SSL function gsk_secure_socket_init 

CAS9899E Task 18 Error: SSL function rc = 467 -> 

CAS9899E Task 18 Error: Signature algorithm not in signature algorithm pairs list 

CAS9861I Task 18 closing (901.987.654.321):2189. 

CAS9861I Task 18 delivered 2 packets, 694 bytes. 

CAS9899W Task 7 Heart Beat Timeout with MVSN 

CAS9899I Task 7 Connection with MVSN still active 

CAS9899E Task 7 Error: SSL function gsk_secure_socket_read 

CAS9899E Task 7 Error: SSL function rc = 420 -> 

CAS9899E Task 7 Error: Socket closed by remote partner 

CAS9899E Task 7 Error: SSL I/O ErrNo = 1121 -> 

CAS9899E Task 7 Error: EDC8121I Connection reset. 

CAS9603I - CAICCI SWER DISCONNECT FROM CAICCI MVSN 

 

This on the remote side: 

CAS9899E Task 5 Error: SSL function gsk_secure_socket_init 

CAS9899E Task 5 Error: SSL function rc = 438 -> 

CAS9899E Task 5 Error: Internal error reported by remote partner 

CAS9861I Task 5 closing SWER(123.456.789.01):21721. 

CAS9861I Task 5 delivered 2 packets, 694 bytes. 

CAS9855I Task 7 has connection from SWER(123.456.789.01):1433 

CAS9855I Task 7 has connection from SWER(123.456.789.01):1438 

6 Requested cipher_spec(s) = 002F00350038003900320033, Len = 24 

CAS9899E Task 7 SWER(123.456.789.01):1438 has no certificate. 

CAS9861I Task 7 closing SWER(123.456.789.01):1438. 

CAS9861I Task 7 delivered 2 packets, 694 bytes. 

 

Same behavior seen on each remote. 

Environment:
z/os R2.1
Cause:

IBM and their analysis pointed at the CERT as being the issue. 

Resolution:

In gathering the information there were other attached certificates in the keyring that should not have been there. 

 

They cleaned this up and it corrected the issue.