When attempting to connect to a server using TLS we get UNKNOWN_PROTOCOL. We attempted to debug by issuing OPENSSL commands:
openssl s_client -msg -connect :443
Message returned: wrong version number
343598475400:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:./
Issued openssl version command:
OpenSSL 1.0.2k 26 Jan 2017
I then confirmed that python is pointed to the same version OpenSSL 1.0.2k 26 Jan 2017
I’m not sure how to proceed in my setup.
I can’t tell what it is that you are trying to do. Can you provide the python code that is failing, the version of python you are running, etc.?
The script is connecting to a Linux server that will take in parms from a file to build certificates. However when the script attempts to connect to the server using TLS for security it fails to establish the connection and we get UKNOWN_PROTOCOL.
Where would python be looking to get the certs for creating the secure connection?
I think I need the intermediate Certificate to be presented when connecting to the server. Where do we install the certs we want python scripts to use for HTTPS connections?
I’ve stepped back and attempted connection to the server using openssl commands and I’m getting
I think I will start looking at the OPENSSL discussion. I’m assuming OPENSSL is needed for PYTHON to make a secure connection.
After we did the isolated install it allowed us to discover that all traffic for port 443 was being routed through comservr’s default keyring /* AUTH */. We now have the connection working.
We have gotten further but the scipt is still failing:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
I found that you can disable the certificate verification using command
However this is not a recommended state but allows you to get further.
What this means is that our script is not able to validate the signing certificate coming back from the server we are connecting to. It means we need to point to a certificate bundle that contains all our signing and root certs for the our organization.
I’ve been unable to find where we can override the default path to point it to our cert bundle. If anyone has that information please share it.
I got it to work by prefixing the execution of the script with setting a program environment variable SSL_CERT_FILE=
**** works ***
SSL_CERT_FILE=/u/c06u/opt_cst/sf-bundle.crt python2 certRequest.py -r sampleXML --urllib2
I would prefer ever person running a python script on Z/os would not have to perform this setting and have the entire environment set to point to the same location for the certificate bundle.
Any help would be appreciated.
**** conclusion ****
I put in my .profile
I would recommend you setup a common location for the cert bundles and then each person running the script will have to include this in the .profile
Here are the entire list of environment variables. We installed it using the same directory structure Rocket used:
export _CEE_RUNOPTS=“FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)”
Additionally I would recommend the following to display the directory path you are working on.
export PS1=’$LOGNAME’:’$PWD’:’ >’
This has been a long and difficult path. I wish the forum was more active and could have found some help form someone. I posted all these steps for others. I really hope it could help all mainframe shops to integrate with open systems. Have python, perl… makes the mainframe even more approachable.
I don’t think these forums are being monitored the Rocket Open Source team as posted in the forum description * Monitored by the Rocket Open Source team!!
Hi, i’m new here. What’s the best way to stay connected?