[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate validation

To: "HTTPAPI and FTPAPI Projects" <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Certificate validation
From: "Forshey, Carl" <Carl.Forshey@xxxxxxxxxxxx>
Date: Thu, 20 Dec 2007 13:09:02 -0500
List-help: <mailto:ftpapi-request@lists.scottklement.com?subject=help>
List-id: HTTPAPI and FTPAPI Projects <ftpapi.lists.scottklement.com>
List-post: <mailto:ftpapi@lists.scottklement.com>
List-subscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=subscribe>
List-unsubscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=unsubscribe>
Reply-to: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Sender: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
Thread-index: AchC2DgJQvTJm238Qb+5grlYes3FBgAOV+3w
Thread-topic: Certificate validation

Hi Scott,

That was my assumption and my plan for a work around, but it was a long day, I wanted to make sure I wasn't missing something.  I made the change, recompiled, and sure enough an error was returned on the invalid certificate.  This definitely makes my life easier to satisfy the software certification requirements for the vendor.

The proposed changes will be appreciated, as it will be flexible enough to control the new API with a variable to allow control outside of the programs without having to recompile any time you may need to turn off for testing (such as in the case of an SSL handshake problem). Thanks again for the clarification and I'll look for the new version to test when it comes out.

Carl Forshey
Commsoft

-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx]On Behalf Of Scott Klement
Sent: Thursday, December 20, 2007 2:12 AM
To: HTTPAPI and FTPAPI Projects
Subject: Re: Certificate validation

Hi Carl,

If you want a quick fix to this problem, open up the COMMSSLR4 source 
member of HTTPAPI, and search for GSK_SERVER_AUTH_PASSTHRU.  Replace 
GSK_SERVER_AUTH_PASSTHRU with GSK_SERVER_AUTH_FULL.  Then recompile HTTPAPI.

The reason this is set to passthru (which allows "untrusted" and 
"expired" certificates) is because i5/OS doesn't return any certificate 
information to HTTPAPI if the SSL handshake fails, and that means I 
can't provide debugging information.  Since a majority of the users of 
this software didn't care so much about certificate validation, they 
only cared about "getting it to work", I used passthru authentication. 
It provided a lot more debugging information, and it made things work.

Note that the ability to switch HTTPAPI to use FULL authentication is 
one of the SSL security enhancements that I proposed in my e-mail to you 
on Dec 18 -- and it should be in the next release of HTTPAPI.

Should have a beta version for you to test, soon.

Forshey, Carl wrote:
> Hi Scott,
> 
> I'm having a problem with testing my application using SSL where I'm
> given a site to log on to with a known expired certificate (another
> vendor requirement).  The CA normally being used is VeriSign, and
> they are in the DCM and trusted to the application.  The problem is
> the certificate is being validated and I'm then connecting and
> receiving a response from the site.  I was expecting to get a return
> code error on the certificate validation.
> 
> After searching the archives, I came across a reference to a problem
> where the person wanted to accept an expired certificate (error "SSL
> Handshake: (GSKit) Validity time period of the certificate is
> expired") and you provided the code necessary to update the current
> HTTPAPI version of that time.  I'm using the latest version (1.21)
> and I see the code in the GSKSSL_H source member and the COMMSSLR4
> source member.  My question is there a way to control whether or not
> an expired certificate is accepted or not?  After reading the archive
> and looking at the code, it seems as though it's set to accepting by
> default, where I need to have some indication of a validation error
> returned to my program, which seems that was what the original
> problem was on the archive posting.  Could you shed some light on
> this for me, so I can determine if this is my problem or I need to
> look else where.  Thanks!
> 
> Carl Forshey Commsoft
> 
> 

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

The information contained in this electronic mail transmission is intended by Communications Software Consultants, Inc. for the use of the named individual or entity to which it is directed
and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please notify the sender immediately and delete this
message from your system without copying or forwarding it.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

Prev by Date: Re: Certificate validation
Next by Date: WDSL2RPG
Previous by thread: Re: Certificate validation
Next by thread: WDSL2RPG
Index(es):
- Date
- Thread