RE: SSL connection issues

["Barry Shrum" <barry@xxxxxxxxxxxxxxx>]

Scott,

Thanks for all your help.  I appreciate it.  I didn't word my question very
well.  I understand that the OS validates the certificate.  I was asking
about a second, unrelated issue but I didn't make that clear.  Sorry about
that.  Once I'm past this original issue, I need to address something new.

Our business partner has specific requirements that we must fulfill in terms
of security.  One of them is that we examine the certificate returned and if
the address in it (the hostname.com part) does not match their web address,
then we need to reject the transaction as false.  The only way I can see
this occurring is if the cert is from a trusted authority that is spoofing
our business partner.  That seems unlikely, but it's their requirement,
nonetheless.

It just occurred to me that I could examine the debug log file, since the
information is in it.  Not elegant, but possible.

Thanks again for your help!

Barry

-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of Scott Klement
Sent: Friday, August 24, 2007 3:57 PM
To: HTTPAPI and FTPAPI Projects
Subject: Re: SSL connection issues


Barry Shrum wrote:
> I've been compiling the programs with DFTACTGRP(*NO) ACTGRP(*NEW), so
> I didn't specify an activation group in the RCLACTGRP command.

If you're using ACTGRP(*NEW) the RCLACTGRP is pointless.   ACTGRP(*NEW)
will **automatically** reclaim as soon as the program ends.

> I created an application in the DCM and I'm trying the https_init()
> https_cleanup() route.  I also examined the log  for the "second" set
> of programs and they have the correct certificate (the one for the
> second business partner). So... I'm not sure this is the problem
> after all.

No, I'd say it's not the problem.  Not if you're using ACTGRP(*NEW).


> You mentioned that HTTPAPI doesn't have code that checks if the SSL
> cert if signed by a trusted authority.  One of the requirements from
> our business partner is that we need to verify that the URL in the
> certificate returned is correct.  Can I examine the URL in the cert
> through HTTPAPI.

You misunderstand.

Your certificates **ARE** being validated.  (If they weren't, you
couldn't get a "not signed by trusted authority" error message!!)

But the validation is being done by i5/OS, not by HTTPAPI. HTTPAPI says
"hey operating system, I'd like to turn my connection into an SSL
connection" and i5/OS does all of the work, including certificate
validation.

My point is that if there's a bug in the way certificate validation is
done, there's very little I can do about it, since I don't have the code
for the operating system.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

--
This message has been scanned and appears to be clean.

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------