[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate validation

To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Certificate validation
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Date: Thu, 20 Dec 2007 01:12:18 -0600
In-reply-to: <4FD9376B60F2EA4D8F944E5E66B6D7850305AE94@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:ftpapi-request@lists.scottklement.com?subject=help>
List-id: HTTPAPI and FTPAPI Projects <ftpapi.lists.scottklement.com>
List-post: <mailto:ftpapi@lists.scottklement.com>
List-subscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=subscribe>
List-unsubscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=unsubscribe>
References: <4FD9376B60F2EA4D8F944E5E66B6D7850305AE94@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Sender: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

Hi Carl,

If you want a quick fix to this problem, open up the COMMSSLR4 source 
member of HTTPAPI, and search for GSK_SERVER_AUTH_PASSTHRU.  Replace 
GSK_SERVER_AUTH_PASSTHRU with GSK_SERVER_AUTH_FULL.  Then recompile HTTPAPI.

The reason this is set to passthru (which allows "untrusted" and 
"expired" certificates) is because i5/OS doesn't return any certificate 
information to HTTPAPI if the SSL handshake fails, and that means I 
can't provide debugging information.  Since a majority of the users of 
this software didn't care so much about certificate validation, they 
only cared about "getting it to work", I used passthru authentication. 
It provided a lot more debugging information, and it made things work.

Note that the ability to switch HTTPAPI to use FULL authentication is 
one of the SSL security enhancements that I proposed in my e-mail to you 
on Dec 18 -- and it should be in the next release of HTTPAPI.

Should have a beta version for you to test, soon.

Forshey, Carl wrote:
> Hi Scott,
> 
> I'm having a problem with testing my application using SSL where I'm
> given a site to log on to with a known expired certificate (another
> vendor requirement).  The CA normally being used is VeriSign, and
> they are in the DCM and trusted to the application.  The problem is
> the certificate is being validated and I'm then connecting and
> receiving a response from the site.  I was expecting to get a return
> code error on the certificate validation.
> 
> After searching the archives, I came across a reference to a problem
> where the person wanted to accept an expired certificate (error "SSL
> Handshake: (GSKit) Validity time period of the certificate is
> expired") and you provided the code necessary to update the current
> HTTPAPI version of that time.  I'm using the latest version (1.21)
> and I see the code in the GSKSSL_H source member and the COMMSSLR4
> source member.  My question is there a way to control whether or not
> an expired certificate is accepted or not?  After reading the archive
> and looking at the code, it seems as though it's set to accepting by
> default, where I need to have some indication of a validation error
> returned to my program, which seems that was what the original
> problem was on the archive posting.  Could you shed some light on
> this for me, so I can determine if this is my problem or I need to
> look else where.  Thanks!
> 
> Carl Forshey Commsoft
> 
> 

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References:
- Certificate validation
  - From: Forshey, Carl

Prev by Date: Certificate validation
Next by Date: RE: Certificate validation
Previous by thread: Certificate validation
Next by thread: RE: Certificate validation
Index(es):
- Date
- Thread