[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Accepting an expired Certificate.
Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Eduard,
In V5R3, IBM added a new capability (that I've never used) to the GSKit API
that allows you to accept a certificate that's expired. They added PTFs to
enable this support in V5R1 or V5R2. This is documented in APAR SE07971.
Here's a link to that APAR:
http://tinyurl.com/8hykw
Make sure you have those PTFs applied to your system if you're not running V5R3
yet.
And here's a link to the documentation for the GSKit where it provides some
info about what this option does:
http://tinyurl.com/dan9n
To install this in HTTPAPI, you'll need to change the source code. Start by
adding the following definitions to the GSKSSL_H source member:
D GSK_SERVER_AUTH_TYPE...
D C CONST(410)
D GSK_SERVER_AUTH_FULL...
D C CONST(534)
D GSK_SERVER_AUTH_PASSTHRU...
D C CONST(535)
Then, you'll need to edit the COMMSSLR4 source member.and insert the code to
set these options. Search for GSK_CLIENT_AUTH in the COMMSSLR4 member. Right
after that group of code, but before the code for setting the SSL protocol
versions, insert the following:
C* Allow passthru of the server's info:
c eval rc = gsk_attribute_set_enum(wkEnvh:
c GSK_SERVER_AUTH_TYPE:
c GSK_SERVER_AUTH_PASSTHRU)
c if rc <> GSK_OK
c callp SetError(HTTP_GSKATYP: 'Setting ' +
c 'auth type: ' + ssl_error(rc))
c return -1
c endif
Then recompile HTTPAPI and try it. Here's where I can't help you -- I have no
way to test this code. I do not have access to a server with an expired
certificate. The documentation (that I linked to, above) says that it'll allow
an expired certificate, but I can't test it.
---
Scott Klement http://www.scottklement.com
On Thu, 6 Oct 2005, Eduard Sluis wrote:
Dear All,
I need help urgently!
We are accessing a webservice using HTTPAPI as a client.
We are connecting to is using HTTPS.
The Webservice is using an certificate that is expired.
As a result we are getting the error:
SSL Handshake: (GSKit) Validity time period of the certificate is expired.
which is indeed correct.
The problem however is that we need to accept this certificate and build the
SSL connection on it. The system using this webservice must go in production.
Other production systems are also using this same webservice which prohibit
any change on the certificate for a foreseeable time.
Those other sytems (non iSeries) are able to work with the expired
certificate.
Is there anyway to make the iSeries accept this certificate?
I've found possibilities to use ExitPrograms and am investigating this but I
have *NONE experience with that.
Does any one know if it is possible and if Yes how to do it?
I would hate to make the iSeries the showstopper for this!
Kind regards,
Eduard Sluis
--
This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/rpg400-l.
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------