[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Certificate information
Scott,
When you specify information regarding 'the certificate' I presume that
you are referring to the final certificate in the chain.
Is it possible to get information on other certificates in the chain ? I
our case there are two CA certificates (one is an intermediate CA) as
well as the end certificate.
Regards
Ian Patterson
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott
Klement
Sent: 19 December 2007 01:44
To: HTTPAPI and FTPAPI Projects
Subject: Re: Certificate information
Hi Carl,
Here's what I'm thinking about doing:
a) Add a new API called https_strict(). It can be passed a parameter of
*ON or *OFF to enable or disable strict certificate checking.
-- When *OFF, HTTPAPI will allow expired certificates, or those
not signed by a trusted authority (if your version of i5/OS
supports it.)
-- When *ON, HTTPAPI will only allow certificates that
(cryptographically, not just checking O=xxxxxxx) are
within their validity period and signed by a trusted CA.
b) Add an exit point for certificate validation. When a procedure
is registered, the procedure will be called element-by-element
for all of the fields supplied in the certificate.
Each call to the exit point will pass the GSK field number,
as well as the data, already converted to EBCDIC (unless it's
binary) and in an RPG VARYING alphanumeric field, ready for use.
The exit proc can return a code to indicate that the certificate
isn't valid if it wants to stop the SSL connection from
completing.
c) I was also thinking of letting the user register a procedure with
the existing validation procedure in GSKit -- but that requires
V5R3, plus, IMHO, it requires a lot more complex coding (you have
to parse the certificate yourself, or know how to use the i5/OS
APIs to do it, which isn't as easy as letting HTTPAPI do the
parsing for you.)
Let me know what you think.
Forshey, Carl wrote:
> I was searching the archives and came across a reference to a problem
> I've encountered - being able to "process" certificate information in
> my application (August 27/07). We have requirements to validate the
> URL in the certificate and to verify the certificate is from a valid
> Certificate Authority (specifically to check the "O=" value within
> the root chain).
>
> I was contemplating using the HTTP debug log, as the last inquirer
> mentioned, but in this case there will be multiple users at any one
> time, which makes it even more undesirable to go down that path. I'm
> the using latest version of HTTPAPI (1.21). The vender requires some
> specific tests to be run and provide details to them (logs, etc.), so
> I doubt they'll just accept that the OS and DCM is handling this
> process and then certify the application.
>
> I'm wondering if you have any suggestions, otherwise, I'm seconding a
> need for future certificate information returned to the application
> via HTTPAPI. Thanks!
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------