x3270 SecureTransport error on macOS 10.15 Catalina

3270 Terminal Emulator

Brought to you by: pmattes

#15 x3270 SecureTransport error on macOS 10.15 Catalina

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: tls (1)

Priority: 5

Updated: 2019-10-10

Created: 2019-10-10

Creator: Pete K.

Private: No

I just upgraded to macOS 10.15 "Catalina" and am trying to run x3270 3.8ga6 with a TLS-encrypted connection. My server's certificate is signed by my company's intermediate cert, which is signed by my company's root cert, both of which are available in my system keychain. Under macOS 10.14, I was able to connect -- x3270 found the root certificates in my keychain without issue. Under macOS 10.15, I am getting "invalid certificate chain" errors. I can't seem to find any trace messages, nor any error messages in Console.app. Any ideas on where I could look next?

Note: I've tried this with my usual install method (HomeBrew) and also with a new build-from-source, both with the same result.

Discussion

Paul Mattes - 2019-10-10

I hope to be able to reproduce this, but it will take a while.

In the meantime, two suggestions:

Start x3270 with the '-trace' option. You should get a trace window showing lots of debug information. If you can send me the error messages associated with this failure, that would be great.

Can you try something strange for me? Try connecting to your host with Safari (https://<your-host>:<port-usually-used-for-x3270>). If the problem is with your certs rather than with x3270's TLS support, you should get the same sort of error message from Safari. (Please use Safari rather than any other browser, so we're sure it is using the same TLS support in the OS.)</port-usually-used-for-x3270></your-host>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Pete K. - 2019-10-10

You rock!

I had tried using Safari to go to the server on the standard https port, and that worked fine. Trying Safari on the 3270 port got me a certificate error. I still don't understand the error -- it said the certificate name didn't match the URL, and the only difference I can see is uppercase vs. lowercase. Maybe in Catalina it's matching certificates case-sensitively? But anyway, I accepted the certificate in Safari, and now my x3270 connection works fine!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Paul Mattes - 2019-10-10

Excellent! I thought that might diagnose it, but it fixed it as a bonus!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Pete K. - 2019-10-10

Just for the permanent record, it's a change in Catalina, nothing to do with x3270. I found this info at https://www.macobserver.com/news/apple-deprecates-sha-1/ :

TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.