Https web service not completing handshake unless we set "verify peer=no"

It is the first time I install certificates.  I have my MFES set up as per the documentation, but only works when we set "verify peer=no" in the mf_client.dat file.  MFES is acting as a client on this setting.

I installed Wireshark in that server, and below is what I see.

When we remove or comment "verify peer=no" in the mf_client.dat file, it behaves as follows:

   We send the "Client Hello" message

   Host sends back "Server Hello, Certificate, Server Key Exchanged, Server Hello Done" message from the host.

   We immediately send back an "Alert (Level: Fatal, Description: Unknown CA)" message, and follow with a "[FIN, ACK]" transmission.

When we set back the "verify peer=no" parameter in the mf_client.dat file, it then behaves as follows:

   We send the "Client Hello" message

  Host sends back "Server Hello, Certificate, Server Key Exchanged, Server Hello Done" message from the host.

   We send back "Client key Exchange, Change Cipher Spec, Encrypted Handshake Message" message

   Host sends back "Change Cipher Spec" message, and then an "Encrypted Handshake Message" message

   We start sending data.

Want to point out that what catches my attention about this configuration is that we are using exactly the same certificate files on both client and host/server side.

Do we have an SSL SME in that can help guide us?

Hello Luis Laboy,

I am not an SSL SME, but will try to provide some initial suggestions to help you investigate.

First, it may be helpful to know which Micro Focus Product and version are in use, and on what platform (O/S, version and processor).

Next, investigating SSL/TLS issues can be complex, and some of the trace information gathered may be inappropriate for a public site. I would recommend you open a Support Case for your Micro Focus product to get assistance with this.

However, to get you started, here are some options for turning on traces for SSL/TLS. I would recommend that you try this first in a Dev or QA region where you have SSL enabled. Then you might provide the generated trace file through the Support Case mentioned above. Here are the instructions:

=== Begin SSL trace instructions ===

1) If you already have a CCI.INI file defined on your ES Server side, skip to step 3), and add the lines shown in that step

2) If you don’t already have a CCI.INI file on the ES server, cd to Enterprise Server system directory (the directory where console.log and log.html appear). For example:

cd /var/mfcobol/es/MYREGN

3) Create a file named CCI.INI in the Enterprise Server system directory, with the following lines:

[ccitcp-base]

ssl_display_cipher=yes

ssl_display_cert=yes

ssl_display_cert_fail_report=yes

ssl_display_cert_connection_details=yes

ssl_display_options_on=yes

ssl_display_destination=/home/user/MYREGN_ssltrc.txt

Note. The directory shown for ssl_display_destination is an example; please ensure that the operative user for the region has write permissions to the directory you specify for this setting.

=== End SSL trace instructions ===

Finally, once again, I don't recommend that you post the trace file on the Community site.