SSL return codes

This topic lists the system SSL return codes for the most common problems that can occur during SSL initialization or SSL handshake.

Before using the following return code table,

You need to find the SSL return code in the QTVTELNET job log.
In some cases, you will need to Work with the Digital Certificate Manager configuration to correct problems with Certificate Authority (CA) certificates or system certificates.
When you copy the CA certificate information for your Telnet SSL client, remember to include the lines containing the words BEGIN CERTIFICATE and END CERTIFICATE.

Common return codes

Table 1. Common return codes
Return code	Description
-2	No system certificate is available for SSL processing. The Telnet server successfully initializes SSL, but the SSL handshake fails. There is no signon panel in the SSL Telnet client window. The QIBM_QTV_TELNET_SERVER application does not have an assigned system certificate. View the system certificate and check that the value `Yes` shows in the Certificate assigned column. If the value is `No`, create a system certificate for the QIBM_QTV_TELNET_SERVER application.
-4	The CA certificate or system certificate is bad. The system certificate is not private or trusted. The Private Key and Trusted fields on the server certificate are not correct. The Telnet SSL client window has no signon panel. Add Certificate Authority (CA) information in your Telnet SSL client. If you are using iSeries™ Access for Windows^® as your Telnet SSL client, see Manage public Internet certificates for SSL communication sessions. Otherwise, see Obtain a copy of the private CA certificate for instructions.
-16	The peer system is not recognized. This problem is the most common problem when a Telnet SSL client first attempts to establish an SSL session. The Telnet SSL client window has no sign-on panel. Add Certificate Authority (CA) certificate information to your Telnet SSL client.
-18	The system certificate is self-signed and server is using it as a CA certificate. The system certificate assigned to the QIBM_QTV_TELNET_SERVER application must be trusted, signed by a certificate authority, and used within the valid time period. You need to create a CA certificate and associate it with the system certificate. The Telnet server does not initialize SSL if the system certificate is incorrect. Create a CA certificate and associate it with the system certificate.
-23	The system certificate is not signed by a trusted certificate authority. The system certificate assigned to the QIBM_QTV_TELNET_SERVER application must be trusted, signed by a certificate authority, and used within the valid time period. Change the CA certificate to Trusted. For instructions, see Manage applications in DCM.
-24	The valid time period of the CA certificate has expired. You are using an out-of-date certificate. The Telnet SSL client window has no signon panel. Renew the CA certificate that was used to build the system certificate.
-93	SSL is not available for use. Telnet SSL clients cannot connect to a host because there is no active SSL listener. Install software requirements to support Telnet SSL and to manage certificates. For instructions, see Check system status.

Other SSL return codes

For the SSL return codes in the following table, use the Digital Certificate Manager to verify that the digital certificates meet these requirements:

The CA certificate is valid and has not expired.
The Telnet server application QIBM_QTV_TELNET_SERVER has a value of Yes in the Certificate Assigned column.
A certificate authority signs the system certificate.
The system certificate is trusted.
The system certificate is used within the timeframe stated on the certificate.

Table 2. Other SSL return codes
Return code	Description
-1	No ciphers are available or specified
-6	i5/OS^® does not support the certificate type
-10	An error occurred in SSL processing. In the job log, check the CPE`xxxx` message where `xxxx` is the sockets error value.
-11	SSL received a badly formatted message
-12	A bad message authentication code was received
-13	Operation is not supported by SSL
-14	The certificate signature is not valid
-15	The certificate is bad
-17	Permission was denied to access object
-20	Unable to allocate storage required for SSL processing
-21	SSL detected a bad state in the SSL session
-22	The socket used by the SSL connection has been closed
-25	The date in the certificate is in a bad format
-26	The key length is bad for export
-90	Not a key ring file
-91	The password in the key database has expired
-92	Certificate is not valid or was rejected by the exit program
-94	SSL_Init() was not previously invoked for the job
-95	There is no key ring for SSL initialization
-96	SSL is not enabled
-97	The specified cipher suite is not valid
-98	The SSL session ended
-99	An unknown or unexpected error occurred during SSL processing
-1010	Double encryption is not allowed when using AC2 and IP-SEC