[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Accepting an expired Certificate.



Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>


Eduard,


In V5R3, IBM added a new capability (that I've never used) to the GSKit API that allows you to accept a certificate that's expired. They added PTFs to enable this support in V5R1 or V5R2. This is documented in APAR SE07971. Here's a link to that APAR:

http://tinyurl.com/8hykw

Make sure you have those PTFs applied to your system if you're not running V5R3 yet.

And here's a link to the documentation for the GSKit where it provides some info about what this option does:

http://tinyurl.com/dan9n

To install this in HTTPAPI, you'll need to change the source code. Start by adding the following definitions to the GSKSSL_H source member:

     D GSK_SERVER_AUTH_TYPE...
     D                 C                   CONST(410)

     D GSK_SERVER_AUTH_FULL...
     D                 C                   CONST(534)
     D GSK_SERVER_AUTH_PASSTHRU...
     D                 C                   CONST(535)

Then, you'll need to edit the COMMSSLR4 source member.and insert the code to set these options. Search for GSK_CLIENT_AUTH in the COMMSSLR4 member. Right after that group of code, but before the code for setting the SSL protocol versions, insert the following:

     C* Allow passthru of the server's info:
     c                   eval      rc = gsk_attribute_set_enum(wkEnvh:
     c                               GSK_SERVER_AUTH_TYPE:
     c                               GSK_SERVER_AUTH_PASSTHRU)
     c                   if        rc <> GSK_OK
     c                   callp     SetError(HTTP_GSKATYP: 'Setting ' +
     c                             'auth type: ' + ssl_error(rc))
     c                   return    -1
     c                   endif

Then recompile HTTPAPI and try it. Here's where I can't help you -- I have no way to test this code. I do not have access to a server with an expired certificate. The documentation (that I linked to, above) says that it'll allow an expired certificate, but I can't test it.

---
Scott Klement  http://www.scottklement.com



On Thu, 6 Oct 2005, Eduard Sluis wrote:

Dear All,
I need help urgently!

We are accessing a webservice using HTTPAPI as a client.
We are connecting to is using HTTPS.
The Webservice is using an certificate that is expired.
As a result we are getting the error:
SSL Handshake: (GSKit) Validity time period of the certificate is expired.
which is indeed correct.
The problem however is that we need to accept this certificate and build the SSL connection on it. The system using this webservice must go in production. Other production systems are also using this same webservice which prohibit any change on the certificate for a foreseeable time.
Those other sytems (non iSeries) are able to work with the expired certificate.


Is there anyway to make the iSeries accept this certificate?
I've found possibilities to use ExitPrograms and am investigating this but I have *NONE experience with that.
Does any one know if it is possible and if Yes how to do it?
I would hate to make the iSeries the showstopper for this!


Kind regards,
Eduard Sluis

--
This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/rpg400-l.

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------