[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL Handshake: (GSKit) An error occurred during SSL
Scott and others,
I opened a PMR with IBM, and after doing a trace it seems the error is
occurring because the web server is asking for a client certificate
that we don't have and were never given. My question is is there a way
using HTTP_API to have it skip/ignore sending a client certificate and
just continue with the connection. A client certificate is not
required, I can view the web page perfectly fine from my web browser.
Thanks
John Hill
-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote: -----
To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Sent by: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
Date: 05/27/2010 12:21PM
Subject: Re: SSL Handshake: (GSKit) An error occurred during SSL
hi John,
Just so that we are all on the same page... the information from
the
debug file tells me that HTTPAPI was calling this API (part of
OS/400):
gsk_secure_soc_init()
And the error code the API is returning is:
GSK_INTERNAL_ERROR
This is also known as CPDBCB9 from msgf QCPFMSG
The API itself and it's error codes are documented in the
Information
Center here (this is the V5R3 version, because that appears to be
what
you are running:)
[1]http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/apis
/gsk_secure_soc_init.htm
Unfortunately, the only thing this documentation seems to say is
that
something is wrong internally inside the SSL routines of OS/400.
It
doesn't provide more information. There may be more information in
your
job log -- have you looked there?
Aside from that, I'd guess that something got messed up in your
Digital
Certificate Manager. I don't know what else to suggest, except
calling
IBM for help.
On 5/27/2010 9:21 AM, JHill@xxxxxxxxxxxx wrote:
>
> Kevin,
>
>
>
> Thanks for the reply. I have already done that. I even
imported the
> intermediate certificate, and I still have the same problem.
I have
> also tested against our our website which as a certificate
signed by
> Thawte and still are having the same problem.
>
>
>
> Here is the information from the debug file.
>
> Thanks,
> John Hill
>
>
>
>
>
>
>
>
>
> HTTPAPI Ver 1.23 released 2008-04-24
>
> OS/400 Ver V5R3M0
>
> New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819.
> ProtLoc=0
>
> https_init(): entered
>
>
-------------------------------------------------------------------
---
> ---------------
>
> Dump of local-side certificate information:
>
>
-------------------------------------------------------------------
---
> ---------------
>
> -----BEGIN CERTIFICATE-----
>
>
MIICVDCCAb2gAwIBAgIHSldGhQElaDANBgkqhkiG9w0BAQQFADBnMQswCQYDVQQG
>
>
EwJVUzENMAsGA1UECBMET2hpbzEXMBUGA1UEBxMOQ3V5YWhvZ2EgRmFsbHMxHTAb
>
>
BgNVBAoTFEluZm9ybWF0aW9uIFNlcnZpY2VzMREwDwYDVQQDEwhDRlNhZmV0eTAe
>
>
Fw0wOTA3MDkxMzQ3NDlaFw0xMDA3MTAxMzQ3NDlaMHMxCzAJBgNVBAYTAlVTMQ0w
>
>
CwYDVQQIEwRPaGlvMRcwFQYDVQQHEw5DdXlhaG9nYSBGYWxsczEdMBsGA1UEChMU
>
>
SW5mb3JtYXRpb24gU2VydmljZXMxHTAbBgNVBAMTFENGU2FmZXR5IFN5c3RlbSBD
>
>
ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbVZkA9/1AQsSXeSbAvGh/
>
>
kZZ/4nK3vMP+ZZuxgrBiDduJVEL8H9vi+dH8xzirmrp4DdS240FodYgxVTKO3Zfw
>
>
YfvahsRtBhxuSZB51mh69dWt24kpRVJbULFw2seWLZhR1j2bePg4P/LFTY676d/l
>
>
g27YTwUAMLwe3DJZQMeGIwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAI3DBWgRHqNd
>
>
YeHXVCyenpdz1b0tlMSGFbLiMdldiAYRpYvUSJWR5dO3N/KLtf6wcBJ1WajO6hXv
>
>
oOoffBcjoSj/bd9V71EZw/0GsxI2Coq5vDoYr6oUTl4hjzKHkF6VJoCIjYtWCS8c
>
> k8BbTAzpnRXb5bI1fKmy9sLLA4ZHIAod
>
> -----END CERTIFICATE-----
>
> Serial Number: 4A:57:46:85:01:25:68
>
> Common Name: CFSafety System Cert
>
> Country: US
>
> State/Province: Ohio
>
> Locality: Cuyahoga Falls
>
> Org Unit: Information Services
>
> Issuer CN: CFSafety
>
> Issuer Country: US
>
> Issuer State/Province: Ohio
>
> Issuer Locality: Cuyahoga Falls
>
> Issuer Org: Information Services
>
> Version: 03
>
> not before: 20090709094749
>
> not after: 20100710094749
>
> pub key alg: 1.2.840.113549.1.1.4
>
> http_url_get(): entered
>
> http_persist_open(): entered
>
> http_long_ParseURL(): entered
>
> DNS resolver retrans: 2
>
> DNS resolver retry : 2
>
> DNS resolver options: x'00000136'
>
> DNS default domain: CITYOFCF.com
>
> DNS server found: 208.67.222.222
>
> DNS server found: 208.67.220.220
>
> (GSKit) An error occurred during SSL processing that was not
expected.
>
> ssl_error(3): (GSKit) An error occurred during SSL processing
that was
> not expected.
>
> SetError() #30: SSL Handshake: (GSKit) An error occurred
during SSL
> processing that was not expe
>
>
-------------------------------------------------------------------
---
> ---------------
>
> Dump of server-side certificate information:
>
>
-------------------------------------------------------------------
---
> ---------------
>
> Cert Validation Code = 0
>
>
>
> -----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote: -----
>
> To: "HTTPAPI and FTPAPI
Projects"<ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
> From: "Kevin Bucknum"<Kevin@xxxxxxxxxxxxxxxxxxx>
> Sent by: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
> Date: 05/26/2010 04:57PM
> Subject: RE:
> Unless you have that root cert loaded on your machine, you
need to
> go
> download it from Go Daddy's site and install it. By default
IBM
> doesn't
> load that one. We have put in a request for them to add a
few of
> the
> more common cert providers, but haven't seen any movement
on it
> yet.
> -----Original Message-----
> From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [[1][2]mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On
Behalf Of
> JHill@xxxxxxxxxxxx
> Sent: Wednesday, May 26, 2010 2:48 PM
> To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
> Subject:
> Hello everyone,
> I'm brand new to this list so go easy. We are using HTTP
API
> v1.23
> for
> about a year now to post data to a web service. Last week
the web
> service changed their SSL cert to a cert signed by "Go
Daddy
> Class 2
> CA" with a 2048 bit public key. Now we get an error
message of
> "SSL
> Handshake: (GSKit) An error occurred during SSL" with a
return
> code
> of
> -1. Does anyone have any insight?
> Thanks,
> John Hill
> Kevin Bucknum
> Senior Programmer Analyst
> MEDDATA/MEDTRON
> Tel: 985-893-2550
>
-------------------------------------------------------------------
> ----
> This is the FTPAPI mailing list. To unsubscribe, please go
to:
> [2][3]http://www.scottklement.com/mailman/listinfo/ftpapi
>
-------------------------------------------------------------------
> ----
>
-------------------------------------------------------------------
> ----
> This is the FTPAPI mailing list. To unsubscribe, please go
to:
> [3][4]http://www.scottklement.com/mailman/listinfo/ftpapi
>
-------------------------------------------------------------------
> ----
>
> References
>
> 1. [5]mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
> 2. [6]http://www.scottklement.com/mailman/listinfo/ftpapi
> 3. [7]http://www.scottklement.com/mailman/listinfo/ftpapi
>
-------------------------------------------------------------------
----
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> [8]http://www.scottklement.com/mailman/listinfo/ftpapi
>
-------------------------------------------------------------------
----
>
-------------------------------------------------------------------
----
This is the FTPAPI mailing list. To unsubscribe, please go to:
[9]http://www.scottklement.com/mailman/listinfo/ftpapi
-------------------------------------------------------------------
----
References
1. http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/apis/gsk_secure_soc_init.htm
2. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
3. http://www.scottklement.com/mailman/listinfo/ftpapi
4. http://www.scottklement.com/mailman/listinfo/ftpapi
5. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
6. http://www.scottklement.com/mailman/listinfo/ftpapi
7. http://www.scottklement.com/mailman/listinfo/ftpapi
8. http://www.scottklement.com/mailman/listinfo/ftpapi
9. http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------