[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Error 107 from GSKit when using SSL



Sender: Scott Klement <klemscot@xxxxxxxxxxxx>


The starting point for troubleshooting GSKit errors is to look them up in
the GSKSSL_H member of QRPGLESRC in LIBHTTP.

For example, if you look for error #107 in that member, it shows this:
     D GSK_KEYFILE_CERT_EXPIRED...
     D                 C                   CONST(107)

So, now you now that you've got an expired certificate in your keyfile...
Go into the Digital Certificate Manager and find it:

  1) Go into DCM with a profile with authority to all of the certs.
       I use QSECOFR, since I know it has authority.

  2) Select the certificate store that you want to use.

  3) Go into "Manage Certificates"

  4) Go into "Validate Certificates"

If you're able to connect to the UPS site and not to another site, the
problem is most likely with a certificate authority certificate, but I'd
validate all of the certificates, anyway, just to find the ones that are
bad.

Most likely the problem, as others have said, is with the Verisign Class 2
& 3 certificates that expired on Jan 7.  (However, the method I described
above should find where the actual problem lies.)

The next step is to get (or generate) new certificates to fix the problem.

If all of your certificates validate as "good" then the problem may be
with the server's certificate.   Try connecting to the server with an
up-to-date web browser and see if you get a certificate expired error
there, if so it's probably the server.




On Wed, 18 Feb 2004, Damon U wrote:
>
> I am new to the list, and new to the HTTPAPI.  Thanks to Scott for posting
> this API, it's great!
>
> I have run all examples and worked through most of them.  On example5, I
> first ran it with the UPS address, and it worked great.  No problems using
> SSL at all.  Next I attempted to use it to connect to a site on which a
> client of mine uses SSL.  I get the error message back: SSL Handshake Error:
> GSKit Error 107.  I never get to actualy post anything, or read any response
> back.  The error occurs in the gsk_secure_soc_init call in HTTPAPIR4.
>
> GSKit Error 107 seems to have to do with an expired certificate.  Since
> things work with the UPS example I am assuming that the expired certificate
> must be on the server that I am attempting to connect to?  (I haven't found
> any expired certs on my 400.)
>
> Anyone have any other thoughts or suggestions on how I might go about
> figuring out where this expired certificate is at?  (if in fact, that is
> really the problem being encountered in the SSL Handshake).
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------