[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Example3 - SSL not trusted error message

To: <ftpapi@xxxxxxxxxxxxx>
Subject: RE: Example3 - SSL not trusted error message
From: "Ian Patterson" <ian@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Oct 2004 08:34:04 +0100
Importance: Normal
In-reply-to: <20041020155321.Q14601@grungy.dstorm.net>
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx

Sender: "Ian Patterson" <ian@xxxxxxxxxxxxxxxxxxxx>

As an aside to this thread, I have noticed a problem recently with V5R2 and
certs.

We have had to install a specific CA cert (from GTE) into a number of boxes
(no intermediate certs in the chain).
This cert is then trusted to the trust list for our client (httpapi 9 and
10)

On all V5R1 boxes, this works OK
On SOME (about 50%) of V5R2 boxes, we get the "cert not signed etc" error.
This dissappears when we change the trust list to "trust all" CA certs.

There is no doubt that the new cert we install is the only one that can be
used, so have to assume something dodgy here.

Regards

Ian Patterson

ian@xxxxxxxxxxxxxxxxx <mailto:ian@xxxxxxxxxxxxxxxxx>

Grange IT Limited
tel 01947 880458
www.grangesystems.com



-----Original Message-----
From: owner-ftpapi@xxxxxxxxxxxxx [mailto:owner-ftpapi@xxxxxxxxxxxxx]On
Behalf Of Scott Klement
Sent: 20 October 2004 22:06
To: ftpapi@xxxxxxxxxxxxx
Subject: Re: Example3 - SSL not trusted error message


Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>


Hi John,

There are two problems:

>  In DCM, the Verisign class 1 certificate appears OK but the class 2 and
> class 3 certificates expired in January 2004.

1)  VeriSign's intermediate certificates expired on January 7, 2004. Until
you update your CA certs, most VeriSign sites won't be trusted.

If you update to CUM PTF level C4077520 or later, the problem will be
fixed for new certificate stores, but not for existing ones.  To fix the
existing ones, you need to manually download & install the updated
intermediate certificates from VeriSign.  They've got a web page set up to
explain the process:

  https://www.verisign.com/support/site/caReplacement.html

Personally, I had a hard time figuring out how to get it done with info
from that site, but maybe that's just me!  If nothing else, call IBM
support and get them to help you.

> In an attempt to see what certificate the target website is using, I
> tried to access "https://ssl.ahnet.net/SSL/klemen/"; (the URL that
> Example3 points to) via IE6 and received an "HTTP 404 Not Found".

2) https://ssl.ahnet.net no longer exists.  I used to have an SSL server
with that URL years ago, but not anymore.  That example should be removed
from HTTPAPI.

In fact, I should go through and clean up all of the EXAMPLEx members,
since many of them aren't the best way to do things anymore.  Thanks for
the heads up on this!

A better SSL example would be EXAMPLE16, (though the SSL part of EXAMPLE4
& EXAMPLE5 should still work)

---
Scott Klement  http://www.scottklement.com


-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------


-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

References:
- Re: Example3 - SSL not trusted error message
  - From: Scott Klement

Prev by Date: Re: Example3 - SSL not trusted error message
Next by Date: RE: Example3 - SSL not trusted error message
Previous by thread: Re: Example3 - SSL not trusted error message
Next by thread: RE: Example3 - SSL not trusted error message
Index(es):
- Date
- Thread