[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL without certs?

To: ftpapi@xxxxxxxxxxxxx
Subject: Re: SSL without certs?
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Date: Mon, 4 Jul 2005 23:05:09 -0500 (CDT)
In-reply-to: <OF6E2C3489.89EB8610-ON86257033.00504440-86257033.005150CD@tandybrands.com>
References: <OF6E2C3489.89EB8610-ON86257033.00504440-86257033.005150CD@tandybrands.com>
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx

Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>

1. We have an application requirement where the vendor does not require
digital certificates but does require SSL 3.0 .  Will we be able to
communicate with them?

It's not SSL without certificates. Though, what the vendor probably means is that they don't require client-side certificates (which is true in the majority of cases)

In other words, you can take a web browser and point it at the site without having to install any special certificates on your machine. Technically, there are still certificates in use, but since their invisible to the user...

2. I am receiving an error as a return from http_url_post= "SSL Handshake:
(GSKit) Certificate is not signed by". I'm too new to know if this is
internal to my config with DCM or ?

The rest of that sentence would be "a trusted certificate authority." You're chopping part of it off (probably in order to make it fit on a DSPLY opcode)

So, the server is sending you a certificate, but your DCM doesn't trust it. Most likely, the application is misconfigured in the digital certificate manager. Another possibility is that the certificate is signed by a certificate autnority that the iSeries doesn't have installed by default.

I've put extra code into version 1.11 of HTTPAPI that helps perform additional debugging with SSL, and also simplifies the setup when you don't need client certificates.

Right now 1.11 hasn't been released, except as a beta version. You might want to give it a try, as it might make your life easier. Plus, we could really use your help testing it out to make sure it's ready to be a full release.

More info is here:
http://www.scottklement.com/archives/ftpapi/200506/msg00088.html

Incidentally, the archives for this mailing list are found at the following link. There's a lot of stuff about SSL setups in there, so you might find it helpful to do some searches: http://www.scottklement.com/archives/ftpapi/

Good luck


-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

Follow-Ups:
- Re: SSL without certs?
  - From: Jim_McMasters

References:
- SSL without certs?
  - From: Jim_McMasters

Prev by Date: SSL without certs?
Next by Date: Christian Vitroler/Dieter Wallak EDV-Beratung istaußer Haus.
Previous by thread: SSL without certs?
Next by thread: Re: SSL without certs?
Index(es):
- Date
- Thread