search

zowe / zss

Zowe System Services Server for enabling low-level microservices
Eclipse Public License 2.0
13 stars 45 forks source link

Zowe Editor - An unknown error occured: undefined #707

Closed Martin-Zeithaml closed 6 months ago

Martin-Zeithaml commented 6 months ago

Original issue was zlux/1018.

Quick overview:

No message ZWES1601I Server is ready to accept JWT with fallback to legacy tokens Repeating messages ZWES1606W Failed to get JWK. rc=failed to init HTTP request (9), rsn=TLS error (17). Retry in 10 seconds

I have added the debug messages in tls.c.

Getting this output:

zcc -> tls -> tlsSocketInit: safeMalloc socket ok
zcc -> tls -> tlsSocketInit: label=connor
  ciphers=1984
  keyshares=420
zcc -> tls -> tlsSocketInit: gsk_secure_socket_open=0
zcc -> tls -> tlsSocketInit: gsk_attribute_set_numeric_value=0
zcc -> tls -> tlsSocketInit: label: gsk_attribute_set_buffer=0
zcc -> tls -> tlsSocketInit: ciphers: gsk_attribute_set_buffer=0
zcc -> tls -> tlsSocketInit: ciphers: gsk_attribute_set_enum=0
zcc -> tls -> tlsSocketInit: gsk_attribute_set_enum=0
zcc -> tls -> tlsSocketInit: TLS 1.3 isServer false: gsk_attribute_set_buffer=0
zcc -> tls -> tlsSocketInit: gsk_attribute_set_callback=0
zcc -> tls -> tlsSocketInit: gsk_secure_socket_init=1

gsk_secure_socket_init=1 means GSK_INVALID_HANDLE:

The environment or SSL handle is not valid. The specified handle was not the result of a successful open function call.

The conclusion is that the environment is wrong and there should be this as solution:

zowe:
  network:
    server:
      tls:
        maxTls: "TLSv1.2"
    client:
      tls:
        maxTls: "TLSv1.2"

This was already reported by other users/customers to solve their problem with Explorer IP or Editor.

I am waiting for confirmation from customer.

1000TurquoisePogs commented 6 months ago

You should turn on components.zss.agent.https.trace to get the .tlstrace file in the zowe.logDirectory which you can run gsktrace upon.

TLSv1.3 works for some but not for others. The trace can reveal why. Sometimes, the reason is ciphers. TLSv1.3 recommends ChaCha20-Poly1305 but this is too new for FIPS 140-2 When users set FIPS 140-2 restriction in their ICSF policy, and ZSS requests chacha poly, it will fail. Maybe thats what you encountered?

Martin-Zeithaml commented 6 months ago

It might be this case. The real ciphers are 1302 1301 1303..., which corresponds to 

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
Martin-Zeithaml commented 6 months ago

At least doc update for ZWES1606W.

Martin-Zeithaml commented 6 months ago

Back to TLSv1.2 solved the problem. Based on the debugging messages, problem most likely caused by ChaCha20-Poly1305 as mentioned above.