[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL connection issues



Barry Shrum wrote:
> I've been compiling the programs with DFTACTGRP(*NO) ACTGRP(*NEW), so
> I didn't specify an activation group in the RCLACTGRP command.

If you're using ACTGRP(*NEW) the RCLACTGRP is pointless.   ACTGRP(*NEW)
will **automatically** reclaim as soon as the program ends.

> I created an application in the DCM and I'm trying the https_init()
> https_cleanup() route.  I also examined the log  for the "second" set
> of programs and they have the correct certificate (the one for the
> second business partner). So... I'm not sure this is the problem
> after all.

No, I'd say it's not the problem.  Not if you're using ACTGRP(*NEW).


> You mentioned that HTTPAPI doesn't have code that checks if the SSL
> cert if signed by a trusted authority.  One of the requirements from
> our business partner is that we need to verify that the URL in the
> certificate returned is correct.  Can I examine the URL in the cert
> through HTTPAPI.

You misunderstand.

Your certificates **ARE** being validated.  (If they weren't, you 
couldn't get a "not signed by trusted authority" error message!!)

But the validation is being done by i5/OS, not by HTTPAPI. HTTPAPI says 
"hey operating system, I'd like to turn my connection into an SSL 
connection" and i5/OS does all of the work, including certificate 
validation.

My point is that if there's a bug in the way certificate validation is 
done, there's very little I can do about it, since I don't have the code 
for the operating system.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------