ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)

[moshix]

Hello

When I try to connect to my host, I get the following error:

Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/tnz/tnz.py", line 3689, in __connect
await loop.create_connection(protocol, host, port,
File "/usr/local/Cellar/python@3.10/3.10.8/Frameworks/Python.framework/Versions/3.10/lib/python3.10/asyncio/base_events.py", line 1092, in create_connection
transport, protocol = await self._create_connection_transport(
File "/usr/local/Cellar/python@3.10/3.10.8/Frameworks/Python.framework/Versions/3.10/lib/python3.10/asyncio/base_events.py", line 1122, in _create_connection_transport
await waiter
File "/usr/local/Cellar/python@3.10/3.10.8/Frameworks/Python.framework/Versions/3.10/lib/python3.10/asyncio/sslproto.py", line 534, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "/usr/local/Cellar/python@3.10/3.10.8/Frameworks/Python.framework/Versions/3.10/lib/python3.10/asyncio/sslproto.py", line 188, in feed_ssldata
self._sslobj.do_handshake()
File "/usr/local/Cellar/python@3.10/3.10.8/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 975, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)

[najohnsn]

I suspect this means your server does not support secure connections. If you don't require a specific port try this:

zti {hostname}:23

Or try this to turn off ssl:

zti
set SESSION_SSL 0
goto {hostname}[:{port}]

[sunil390]

Observered similar problem with Python 3.11 on windows as well. setting SESSION_SSL and ZTI_SECLEVEL to different values did not fix the issue at 3.11 level. Host is z/OS 2.3 with TLS 1.2 enabled.

Finally Uninstalled 3.11 and installed 3.9 in windows which established the connection.

[sunil390]

Wondering what we are missing for the setup of 0.3.6 with Python 3.11 and TLS ?

[Trisk3lion]

Yes there seems to be some incompatibilities with this package and Python 3.11.

[najohnsn]

I'm surprised ZTI_SECLEVEL=1 did not help. Are you sure it was set as an environment variable before starting zti? In windows command prompt you would do set ZTI_SECLEVEL=1 and then run zti.

Given that ssl error, the incompatibility is between the python ssl usage and the tn3270 server. I'll try to look up what I did before to determine what "security" the server supports and what "security" python ssl support.

[sunil390]

Installed python 3.11, set ZTI_SECLEVEL=1 and then tried zti. Got below errors
Traceback (most recent call last):
File "C:\Users\A46xxxx\AppData\Local\Programs\Python\Python311\Lib\site-packages\tnz\tnz.py", line 3698, in __connect
await loop.create_connection(protocol, host, port,
File "C:\Users\A46xxxx\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 1112, in create_connection
transport, protocol = await self._create_connection_transport(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\A46xxx\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 1145, in _create_connection_transport
await waiter
File "C:\Users\A46xxxx\AppData\Local\Programs\Python\Python311\Lib\asyncio\selector_events.py", line 970, in _read_ready__get_buffer
nbytes = self._sock.recv_into(buf)
^^^^^^^^^^^^^^^^^^^^^^^^^
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host

while in Python 3.9 this works.
The host expects a client cert. But while in python 3.9 it connects without any issues.

[najohnsn]

I think that the message here is that the information provided by the ssl error is insufficient considering the vast number of variables at play here. The best approach may be for tnz to do some additional diagnostics for ssl errors. Though I don't expect that to be easy.

In the meantime, it would be good to get some specifics about the version of Python (3.11.4?) and the version of OpenSSL.

It's possible that use of the OpenSSL command may be needed to debug.

[najohnsn]

I suspect that the SESSION_SSL=NEVER support provided by #137 (support in v0.5.0 and up) could help with this. Seeing that this is a bit old at this point. I'm going to close this issue out. We can re-open or open another issue if there is a problem with the support in the latest tnz.