fatal error: 40: no cipher suites in common

The server gets this error message when it receives a “clientHello” request.

It gets data like

GMT: -1226998915
bytes = {}
Session ID: {}
Cipher Suites: [SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, … ]

Compression Methods: { }
Unsupported extension status_request, data: 01:00:00:00:00
Extension elliptic_curves, curve names: {unknown curve 256, …
Extension signature_algorithms, signature_algorithms: SHA256withECDSA…
Unsupported extension type_50, data:
Unsupported extension type_17, data:
Extension extended_master_secret
Unsupported extension type_43, data:

It used the list of cipher suites passed up to find a compatible certificate in the key store.

If the Alias has been specified at the server, it will try to use this every time.

If Alias has not been specified it will take the first cipher suite, and try to match any keys in the keystore which support the cipher suite.

found key for : ZZZZ
chain [0] = [
Version: V3
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: IBMJCE RSA Public Key:
modulus: 229627889554
public exponent:  65537

found key for : NISTECC
chain [0] = [
Version: V3
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: algorithm = EC
a: 68647…
b: 10938…
size: 521


The clientHello has a Cipher Suite: with SSL_RSA_WITH_AES_256_GCM_SHA384.

This matches the Key: IBMJCE RSA Public Key:

On z/OS it does not seem to be able to select Elliptic Curve Keys, and only selects RSA.  I was not able to get any Elliptic curves selected on z/OS.

Reasons why you can get this message

  1. The specified alias is not in the key ring
  2. The specified alias is in the key ring, but it has status:NOTRUST.  Display the ring and certificate with
    1. racdcert listring(DANCERTRING) id(start1) , and
    2. racdcert list (label(‘MYCERT’)) id(START1) 
  3. The specified alias is in the key ring, but the dates are not valid.  Use the above commands and look for “Start Date” and “End Date”
  4. On z/OS the public key is Elliptic.