Question
Anil Mathew · Jan 29, 2017

ERROR #6085: Unable to write to socket with SSL/TLS configuration

I have 2 instances of Cache, one of 2010 and the other 2016.  On both I have created a SSL Configuration with same name.

When I connect to a SOAP Service Client from Cache 2010, I get the above error.

If I connect from Cache 2016, the connection get through.

How can get more details of the error in the Cache 2010 instance to be able to fix this issue.

I have enabled the SOAP Log and it does not give much of details.

Regards

Anil

10
3 0 6 2,909
Log in or sign up to continue

Replies

That error probably means there's a problem on the TCP level or with the SSL handshake, not in the SOAP request.  I'd recommend doing:

%SYS> d ^REDEBUG

and setting the value to FFFFFFFF, then reproducing the problem.  This will log information which should help in the cconsole.log.  

Remember to run the utility again to set the debug level back to FF once you're done, since the higher debugging level puts a lot of entries into the log.

I am seeing the same error, below is what my cconsole.log is displaying

03/03/21-12:57:08:095 (39846580) 0 tpopen for host www.osumc.edu device number 61400583 port 443  mode 0x8848 tcpmode 0x124 terminators  ibfsz 8192 obfsz 8192 queuesize 5 timeout 5 tcpsbuf=0 tcprbuf=0, XY=of
f, BINDTO=10.82.124.91
03/03/21-12:57:08:095 (50397494) 0

SSL/TLS configuration: OSUWMC
03/03/21-12:57:08:097 (39846580) 0
Cipher list: ALL:!aNULL:!eNULL:!EXP:!SSLv2
03/03/21-12:57:08:097 (39846580) 0
Trusted certificate file: /ensemble/TestClin/mgr/LDAPKeyStore/OSUWMC_CA.cer
03/03/21-12:57:08:097 (39846580) 0
^MPeer verification option = 1, certificate depth = 9
03/03/21-12:57:08:097 (39846580) 0
SSL/TLS client requested.
03/03/21-12:57:08:100 (39846580) 0
Verify error with X.509 certificate at depth 2
03/03/21-12:57:08:100 (39846580) 0
Subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
03/03/21-12:57:08:100 (39846580) 0
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
03/03/21-12:57:08:100 (39846580) 0
Error: 20, unable to get local issuer certificate
03/03/21-12:57:08:100 (39846580) 0
SSL/TLS error return from SSL_connect().
03/03/21-12:57:08:100 (39846580) 0
SSL_ERROR_SSL: protocol error
03/03/21-12:57:08:100 (39846580) 0
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
03/03/21-12:57:08:100 (39846580) 0
TPXMIT saw TCP device fail

Hello Scott,

The error is occurring because Caché does not have the certificate chain needed to verify the certificate used by the remote system. The error is:

Error: 20, unable to get local issuer certificate

The first certificate it is missing is:

Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services

The SSL/TLS configuration has been configured to look for trusted certificates in the file: '/ensemble/TestClin/mgr/LDAPKeyStore/OSUWMC_CA.cer'. This should contain all the certificates in the certificate chain needed for the remote certificate, in PEM encoded format. See the documentation here for more information: https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

I hope this helps!

Yes it does, I have asked for a new Certificate chain.

Thanks

Thanks Katherine.  This  helped in tracking the issue.  It gives me the following

"SSL/TLS unavailable.  Error loading ssleay32.dll".

I tried to call the service from another Cache server and it works,  so I guess it could be something local.  I will have to find out why the ssleay32.dll gives the error.

Regards

Anil