[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SSL connection issues
Thanks, Scott. The "first" call is a production program which is used
throughout the day by a number of users, so I can't change it right now. As
a test I executed the command RCLACTGRP ACTGRP(*ELIGIBLE) at a command line,
then ran the "second" (new) program. I expected the request to fail but it
ran just fine and the debug log showed the correct digital certificate
information for the second business partner. Either I ran the RCLACTGRP
command in the wrong place or the problem is caused by something else.
Thanks again,
Barry
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of Scott Klement
Sent: Thursday, August 23, 2007 11:58 AM
To: HTTPAPI and FTPAPI Projects
Subject: Re: SSL connection issues
Hi Barry,
First, some background:
For performance purposes, the DCM profile that you set with https_init()
is only cleared if you manually call https_cleanup() or if you reclaim
the activation group. The idea is to keep the amount of cryptography
number crunching to a minimum.
Therefore, if you run two programs in the same job and the same
activation group without reclaiming the activation group in-between, the
second one will use the DCM profile from the previous program.
The problem:
If you call two programs that use https_init() in the same activation
group, but specify different profiles, the profile from the first call
will be used, and the profile from the second call will be ignored.
However, if you call the same two programs separately (i.e. either
reclaim the activation group, or run them in separate jobs) they'll
start the SSL environment individually, and the second profile will be
used for the second program.
If the profile from the 2nd program doesn't trust a particular CA, but
the profile from the 1st program does, this would result in the exact
error you're experiencing.
This is probably a bug... HTTPAPI if the profile name changes, HTTPAPI
should really reset the environment. But you can solve the problem
easily enough by reclaiming the activation group.
Barry Shrum wrote:
> Scott,
>
> We've been using v1.12 for over a year with great success. We use it
> to connect to a business partner, sending a request for information
> and receiving the response. We are now developing an app to connect
> to a second, similar partner. I cloned the programs that use
> the HTTPAPI programs and have discovered an interesting problem. I
> get an ssl_error(6000) error if I try to connect to the second partner
> before anyone connects to the first. Once someone has connected to
> the first partner, then I can successfully connect to the second. I'm
> using the same HTTPAPI programs in the same sequence, but CL and RPG
> programs are different.
>
> I followed the flow in debug and it fails in http_persist_open.
> comm_Connect returns *OFF at the statement:
> if comm_connect(wwComm:p_addr:wwTimeout) = *OFF
>
> I get the following debug log (I've changed the URL to conform to our
> confidentiality agreement with our business partner):
>
> HTTPAPI Ver 1.12 released 2005-08-12
>
> New iconv() objects set, ASCII=819. EBCDIC=0
> http_setauth(): entered
> http_url_post_stmf(): entered
> getting post file size...
> File size: 2918
> opening file to be sent...
> opening file to be received
> 6 parms...
> URL: [1]https://www.sampleurl.com
> Post File: /Test/FR111423I.xml
> Recv File: /Test/FR111423IResponse.xml
> Timeout 30
> UserAgent: http-api/1.11
> Content Type: application/x-www-form-urlencoded
> http_persist_open(): entered
> http_long_ParseURL(): entered
> https_init(): entered
> ----------------------------------------------------------------------
> ---------------
> Dump of local-side certificate information:
> ----------------------------------------------------------------------
> ---------------
> (GSKit) Certificate is not signed by a trusted certificate authority.
> ssl_error(6000): (GSKit) Certificate is not signed by a trusted
> certificate authority.
> SetError() #30: SSL Handshake: (GSKit) Certificate is not signed by a
> trusted certificate author
> ----------------------------------------------------------------------
> ---------------
> Dump of server-side certificate information:
> ----------------------------------------------------------------------
> ---------------
> Cert Validation Code = 0
> in http_url_post_raw2: http_persist_open returned null
>
>
> Any ideas?
>
> Thanks,
>
> Barry Shrum
>
> References
>
> 1. https://www.sampleurl.com/
>
>
>
> ------------------------------------------------------------------------
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
--
This message has been scanned and appears to be clean.
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------