Products Resources Support About Us

Rocket Software

On Z/os running Python secure connection to Linux Server fails

When attempting to connect to a server using TLS we get UNKNOWN_PROTOCOL. We attempted to debug by issuing OPENSSL commands:
openssl s_client -msg -connect :443
Message returned: wrong version number

343598475400:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:./
s3_pkt.c:365:

Issued openssl version command:
OpenSSL 1.0.2k 26 Jan 2017

I then confirmed that python is pointed to the same version OpenSSL 1.0.2k 26 Jan 2017

I’m not sure how to proceed in my setup.

I can’t tell what it is that you are trying to do. Can you provide the python code that is failing, the version of python you are running, etc.?

Python 2.7.13

The script is connecting to a Linux server that will take in parms from a file to build certificates. However when the script attempts to connect to the server using TLS for security it fails to establish the connection and we get UKNOWN_PROTOCOL.

Where would python be looking to get the certs for creating the secure connection?

I think I need the intermediate Certificate to be presented when connecting to the server. Where do we install the certs we want python scripts to use for HTTPS connections?

I’ve stepped back and attempted connection to the server using openssl commands and I’m getting


no peer certificate available

No client certificate CA names sent

I think I will start looking at the OPENSSL discussion. I’m assuming OPENSSL is needed for PYTHON to make a secure connection.

After we did the isolated install it allowed us to discover that all traffic for port 443 was being routed through comservr’s default keyring /* AUTH */. We now have the connection working.

We have gotten further but the scipt is still failing:

<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

I found that you can disable the certificate verification using command
export PYTHONHTTPSVERIFY=0

However this is not a recommended state but allows you to get further.

What this means is that our script is not able to validate the signing certificate coming back from the server we are connecting to. It means we need to point to a certificate bundle that contains all our signing and root certs for the our organization.

I’ve been unable to find where we can override the default path to point it to our cert bundle. If anyone has that information please share it.

I got it to work by prefixing the execution of the script with setting a program environment variable SSL_CERT_FILE=

**** works ***
SSL_CERT_FILE=/u/c06u/opt_cst/sf-bundle.crt python2 certRequest.py -r sampleXML --urllib2

I would prefer ever person running a python script on Z/os would not have to perform this setting and have the entire environment set to point to the same location for the certificate bundle.

Any help would be appreciated.

**** conclusion ****
I put in my .profile
export SSL_CERT_FILE=/u/c06u/opt_cst/sf-bundle.crt

I would recommend you setup a common location for the cert bundles and then each person running the script will have to include this in the .profile

Here are the entire list of environment variables. We installed it using the same directory structure Rocket used:

export _BPXK_AUTOCVT=ON
export PATH=$PATH:/usr_local/bin;
#Python
export INSTALL=/rsusr/rocket
export RELEASE_NAME=python-2.7.13-anaconda-2017-04-12
export RELEASE_TYPE=py27
export RELEASE_DIR=$INSTALL/$RELEASE_NAME
export PYTHON_ENV=python27
export PYTHON_HOME=$RELEASE_DIR/$PYTHON_ENV
export PATH=$PYTHON_HOME/bin:$PATH
export LIBPATH=$PYTHON_HOME/lib:$LIBPATH
export FFI_LIB=$PYTHON_HOME/lib/ffi
export TERMINFO=$PYTHON_HOME/share/terminfo
export PKG_CONFIG_PATH=$PYTHON_HOME/lib/pkgconfig:$PYTHON_HOME/share/pkg
export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem
export SSL_CERT_FILE=/u/c06u/opt_cst/sf-bundle.crt

#Openssl
export PATH=$PATH:/rsusr/rocket/python-2.7.13-anaconda-2017-04-12/pkgs/o
export MANPATH=$MANPATH:/rsusr/rocket/ssl/man
export OPENSSL_CONF=/rsusr/rocket/python-2.7.13-anaconda-2017-04-12/pkgs
#bash
export PATH=$PATH:/rsusr/rocket/bin
export MANPATH=$MANPATH:/rsusr/rocket/man/
export _CEE_RUNOPTS=“FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)”
export _BPXK_AUTOCVT=ON
export _TAG_REDIR_ERR=txt
export _TAG_REDIR_IN=txt
export _TAG_REDIR_OUT=txt
#Perl
export PATH=$PATH:/rsusr/rocket/bin
export MANPATH=$MANPATH:/rsusr/rocket/man/
export PERL5LIB=$PERL5LIB:/rsusr/rocket/lib/perl5
export LIBPATH=$LIBPATH:/rsusr/rocket/lib/perl5/5.24.0/os390/CORE

Additionally I would recommend the following to display the directory path you are working on.
export PS1=’$LOGNAME’:’$PWD’:’ >’

This has been a long and difficult path. I wish the forum was more active and could have found some help form someone. I posted all these steps for others. I really hope it could help all mainframe shops to integrate with open systems. Have python, perl… makes the mainframe even more approachable.

I don’t think these forums are being monitored the Rocket Open Source team as posted in the forum description * Monitored by the Rocket Open Source team!!
https://www.rocketsoftware.com/zos-open-source-tools-support