SSL negotiation failed
Thomas Baumgart
thb at net-bembel.de
Fri Apr 15 08:42:07 BST 2022
On Donnerstag, 14. April 2022 22:28:14 CEST Under Dog via KMyMoney wrote:
> I've been using KMyMoney Version 5.1.2 for a long time via Ubuntu
> Jammy Jellyfish on a PC. Just recently when updating accounts
> (kmymoney ofx), I get the error message "Could not connect to host
> ofxs.ameritrade.com: SSL negotiation failed." This occurs with one
> account TDAmeritrade, four other accounts still work fine. Unmapping
> and re-mapping the online account does not help: I get the same error
> when first attempting the mapping process. I ran the SSL Server Test
> at ofxs.ameritrade.com via https://www.ssllabs.com/ssltest/ and
> attached the resulting report. If anyone can help resolve this issue
> it would be greatly appreciated.
I've spotted a few things in the SSL report which maybe relevant (secure
renegotiation is not supported). Also, B for the overall rating of a
bank's server is not good. This is mostly due to the missing forward
secrecy.
I wonder, which URLs are used by the accounts that work.
I tried here to access the server using openssl from the command line
without problems (I am on openSUSE Leap 15.3). Also, using KMyMoney
I was able to get a distinct OFX error message when trying to login
using the credentials test/test (which means I got past the SSL
handshake). Looking at the wireshark trace of this connection I don't
spot any problems either.
----8<----
url: https://ofxs.ameritrade.com/cgi-bin/apps/OFX
request:
OFXHEADER:100
DATA:OFXSGML
VERSION:102
SECURITY:NONE
ENCODING:USASCII
CHARSET:1252
COMPRESSION:NONE
OLDFILEUID:NONE
NEWFILEUID:20220415092813.000
<OFX>
<SIGNONMSGSRQV1>
<SONRQ>
<DTCLIENT>20220415092813.000
<USERID>test
<USERPASS>test
<LANGUAGE>ENG
<FI>
<ORG>ameritrade.com
<FID>5024
</FI>
<APPID>QWIN
<APPVER>1700
</SONRQ>
</SIGNONMSGSRQV1>
<SIGNUPMSGSRQV1>
<ACCTINFOTRNRQ>
<TRNUID>20220415092813.000
<CLTCOOKIE>1
<ACCTINFORQ>
<DTACCTUP>19700101
</ACCTINFORQ>
</ACCTINFOTRNRQ>
</SIGNUPMSGSRQV1>
</OFX>
response:
OFXHEADER:100
DATA:OFXSGML
VERSION:102
SECURITY:NONE
ENCODING:USASCII
CHARSET:1252
COMPRESSION:NONE
OLDFILEUID:NONE
NEWFILEUID:20220415092813.000
<OFX><SIGNONMSGSRSV1><SONRS><STATUS><CODE>15500</CODE><SEVERITY>ERROR</SEVERITY><MESSAGE>Signon invalid</MESSAGE></STATUS><DTSERVER>20220415022814</DTSERVER><LANGUAGE>ENG</LANGUAGE><FI><ORG>ameritrade.com</ORG><FID>5024</FID></FI></SONRS></SIGNONMSGSRSV1><SIGNUPMSGSRSV1><ACCTINFOTRNRS><TRNUID>20220415092813.000</TRNUID><STATUS><CODE>15500</CODE><SEVERITY>ERROR</SEVERITY><MESSAGE>pr-txlvofx-pp06-clientsys Signon invalid</MESSAGE></STATUS><CLTCOOKIE>1</CLTCOOKIE></ACCTINFOTRNRS></SIGNUPMSGSRSV1></OFX>
----8<----
>From the above, I suspect that the cause of your problem maybe
related to your Ubuntu installation (tighter security requirements)
and would love to see the comparison to the working accounts.
--
Regards
Thomas Baumgart
https://www.signal.org/ Signal, the better WhatsApp
-------------------------------------------------------------
Windows: It's not pretty. It's not ugly. But it's pretty ugly.
-------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 868 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kmymoney/attachments/20220415/da063a20/attachment.sig>
More information about the KMyMoney
mailing list