TLS: SSLHandshake: invalid certificate chain

Question
When I try to connect to the host, I get the error TLS: SSLHandshake: invalid certificate chain. What does this mean?

Answer
This error appears on MacOS systems during host certificate validation. The TLS protocol includes a step where the client (the emulator) inspects the certificate presented by the server (the host). Part of that inspection is verifying that the name in the host's certificate matches the name used to connect to the host. They may not match.

Easy, but insecure workaround
The easiest way to fix this is to disable host certificate validation. The downside to doing this is that you lose the protection of this part of the TLS protocol.

Simply add the Y prefix to the hostname.

More complex, but more secure workaround
The better way to fix this is to specify a particular name to match in the host certificate. This is much more secure, but takes a couple of steps to complete.

Step 1: Find the name in the host certificate
First, you must discover the name that the host is including in its certificate. To do this, connect to the host with host certificate validation disabled (using the Y prefix).

In x3270, select File -> x3270> prompt. In c3270, hit the Esc key to break to the c3270> prompt.

At the prompt, enter the command show tlsCertInfo. The output should include a line that begins with Subject: and includes a field that starts with CN =. What follows after the CN = is the name. For example: x3270> show tlscertinfo Subject: CN=myhost.hostsrus.com, OU=xyx, O=Hosts R Us, L=Pierre, S=South Dakota, C=US ...

Step 2: Specify that name when connecting to the host
Add the CN= name displayed above (without the CN= part) to the hostname, for example: x3270 somexternalname.legtimatebusiness.com=myhost.hostsrus.com

Be sure not not to include the Y prefix in the hostname.

This syntax also works with s3270 and pr3287.