[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Baffled about Certificates with HTTP API
I apologize if I this reply is not threaded properly, for the life of
me, I can't figure out how to respond on this maillist. I'd like to
know that.
In direct response to your reply, Scott, I did not install a client
certificate, though I tried. All evidence I find says I must, but the
vendor is supplying cert files without my csr, and even says they aren't
necessary in test. So, I think I need it, but I'm not getting it. It
may be that the vendor's expectations and the System i requirements are
incompatible.
The vendor says;
Well, that shouldn't be the problem. The certificate signing request is
only required in production; it's used when you're setting up the SSL
connection with Netgiro. In this case Netgiro verifies that the client
certificate you present in the SSL handshake is signed by us, and you
should also verify that the server certificate Netgiro presents
corresponds to the one you have in your trust store. In our test system
we don't perform this check.
The long story follows:
----
Problem Statement:
When trying to communicate with NetGiro, a banking site requiring SSL,
using HTTPAPI routines in a RPG program on an IBM System I, I get an
error as follows:
ssl_error(404): (GSKit) Certificate does not have a valid format.
Background:
NetGiro provided a set of certificate files, many of which I don't know
what to do with.
client.key
client.p7c
client.pem
client.pfx
serverca.pem
I tried to load the server CA, but it wouldn't load without a root CA.
I got one and loaded it and the serverca.pem file.
I could not load client.pem or any other client file, as these were not
generated in response to a csr.
I also created a client application and related to it a trust list with
the above two CA certificates.
I tried to load as a client certificate client.pfx and had to enter a
password, which I believe to be testtest. I got an error "The issuer of
the certificate may not be in the certificate store or the issuer may
not be enabled."
I tried to load as a client certificate client.pem and got this:
No request key is found for the certificate. If you are trying to
receive the signed certificate, you must be using the same certificate
store that was used when the certificate was requested. If this is a CA
certificate, you should use the function for importing a CA.
When I tried to load the others, I got goofier messages.
I don't know how to get these loaded without first generating a csr to
which they apply.
>From all indications in my research, I need a certificate to assign to
the application. However, I don't know if that's the problem or if
there's another problem that comes first.
I have a simple program that uses http_url_post() to send a ping
request. When I run it, I get the error in the problem statement above.
The debug info is as follows:
HTTPAPI Ver 1.23 released 2008-04-24
OS/400 Ver V5R4M0
New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
https_init(): entered
------------------------------------------------------------------------
-------------
Dump of local-side certificate information:
------------------------------------------------------------------------
-------------
http_url_post(): entered
http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'000001B6'
DNS default domain: REGALWARE.COM
DNS server found: 10.1.1.27
DNS server found: 10.1.1.26
(GSKit) Certificate does not have a valid format.
ssl_error(404): (GSKit) Certificate does not have a valid format.
SetError() #30: SSL Handshake: (GSKit) Certificate does not have a valid
format.
------------------------------------------------------------------------
-------------
Dump of server-side certificate information:
------------------------------------------------------------------------
-------------
Cert Validation Code = 0
When I run a sample program, EXAMPLE23, which reports certificate info,
against a different ssl site, I get this debug info:
HTTPAPI Ver 1.23 released 2008-04-24
OS/400 Ver V5R4M0
New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
http_url_get(): entered
http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'000001B6'
DNS default domain: REGALWARE.COM
DNS server found: 10.1.1.27
DNS server found: 10.1.1.26
https_init(): entered
HTTPAPI is running in default activation group. https_cleanup must be
run explcitly.
------------------------------------------------------------------------
-------------
Dump of local-side certificate information:
------------------------------------------------------------------------
-------------
------------------------------------------------------------------------
-------------
Dump of server-side certificate information:
------------------------------------------------------------------------
-------------
Cert Validation Code = 0
-----BEGIN CERTIFICATE-----
MIIDnTCCAwagAwIBAgIQYDPB3ehXR9BCRsh+tNDOKjANBgkqhkiG9w0BAQUFADCB
xDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhh
d3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0
ZS5jb20wHhcNMDgwOTEwMDAwMDAwWhcNMTMxMDI0MjM1OTU5WjCBsjEZMBcGA1UE
ChMQd3d3LmtsZW1lbnRzLmNvbTE7MDkGA1UECxMyR28gdG8gaHR0cHM6Ly93d3cu
dGhhd3RlLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwxIjAgBgNVBAsTGVRoYXd0
ZSBTU0wxMjMgY2VydGlmaWNhdGUxGTAXBgNVBAsTEERvbWFpbiBWYWxpZGF0ZWQx
GTAXBgNVBAMTEHd3dy5rbGVtZW50cy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAM4A+2q4bBNflGFo19q/7Q2NqVYNorIkGFIFZ9ET8G3jEf8PInho849A
WBKKqTq+KaUNM7/uDmHjfvVkW9mpL2JHHnUoFKPfeOWCR8SZhcErBggIjUhQb7uC
QopLPDBOwHCJ0KVf6JCxwLGkaN//me+yVVgJjhuC/mzyLRJwJRwBAgMBAAGjgZ8w
gZwwDAYDVR0TAQH/BAIwADA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnRo
YXd0ZS5jb20vVGhhd3RlU2VydmVyQ0EuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v
Y3NwLnRoYXd0ZS5jb20wDQYJKoZIhvcNAQEFBQADgYEALS7HQztfqyH+hGgx5imb
GEepz0/rwz7ssjY1ViFS/3iLhbclMhiIlT20SbilwZO41KRkuWYzqoD4A6n9l9DL
rZRnE8elqeXqL065W9kyU+qyIlpt1zO7DSupvGysI0V9I7N2gPXmazsWfHVqeUWu
huw4J7Ll6tKUErq8GIjoKws=
-----END CERTIFICATE-----
Serial Number: 60:33:C1:DD:E8:57:47:D0:42:46:C8:7E:B4:D0:CE:2A
Common Name: www.klements.com
Org Unit: www.klements.com
Org: Domain Validated, OU=Thawte SSL123 certificate, OU=Go to
https://www.thawte.com/repository/index.html
Issuer CN: Thawte Server CA
Issuer Country: ZA
Issuer State/Province: Western Cape
Issuer Locality: Cape Town
Issuer Org: Thawte Consulting cc
Issuer Org Unit: Certification Services Division
Version: 03
not before: 20080909190000
not after: 20131024185959
pub key alg: 1.2.840.113549.1.1.5
Protocol Used: TLS Version 1
http_persist_get(): entered
http_long_ParseURL(): entered
do_get(): entered
GET /cgi-bin/ssltest HTTP/1.1
Host: www.klements.com
User-Agent: http-api/1.23
recvresp(): entered
HTTP/1.1 200 OK
Date: Wed, 30 Jun 2010 18:58:53 GMT
Server: Apache/2.0.52 (FreeBSD) DAV/2 PHP/4.3.11 mod_jk/1.2.15
mod_ssl/2.0.52 OpenSSL/0.9.7e-p1
content-disposition: inline
Content-Length: 36
Content-Type: text/plain; charset=ISO-8859-1
SetError() #13: HTTP/1.1 200 OK
recvdoc parms: identity 36
header_load_cookies() entered
recvdoc(): entered
SetError() #0:
Congratulations, you're using SSL!
http_close(): entered
And, I get this report:
1 Serial 6033C1DDE85747D04246C87EB4D0CE2A
1 Issuer Common Name Thawte Server CA
1 Issuer Country/Region ZA
1 Issuer State/Province Western Cape
1 Issuer Locality Cape Town
1 Issuer Organization Thawte Consulting cc
1 Issuer Org Unit Certification Services Division
1 Issuer Valid From 20080909190000
1 Issuer Valid To 20131024185959
1 Subject Common Name www.klements.com
1 Subject Organization www.klements.com
1 Subject Org Unit Domain Validated, OU=Thawte SSL123
certificate, OU=Go to https://www.thawte.com/repository/ind
2 Serial 30000001
2 Issuer Common Name Thawte Server CA
2 Issuer Country/Region ZA
2 Issuer State/Province Western Cape
2 Issuer Locality Cape Town
2 Issuer Organization Thawte Consulting cc
2 Issuer Org Unit Certification Services Division
2 Issuer Valid From 20040503190000
2 Issuer Valid To 20140503185959
2 Subject Common Name Thawte SSL Domain CA
2 Subject Country/Region ZA
2 Subject Organization Thawte Consulting (Pty) Ltd.
When I change the sample program to hit the url for NetGiro, I get this
debug, which is similar to, but not the same as the debug from the ping
request:
HTTPAPI Ver 1.23 released 2008-04-24
OS/400 Ver V5R4M0
New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
http_url_get(): entered
http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'000001B6'
DNS default domain: REGALWARE.COM
DNS server found: 10.1.1.27
DNS server found: 10.1.1.26
https_init(): entered
HTTPAPI is running in default activation group. https_cleanup must be
run explcitly.
------------------------------------------------------------------------
-------------
Dump of local-side certificate information:
------------------------------------------------------------------------
-------------
(GSKit) Certificate does not have a valid format.
ssl_error(404): (GSKit) Certificate does not have a valid format.
SetError() #30: SSL Handshake: (GSKit) Certificate does not have a valid
format.
------------------------------------------------------------------------
-------------
Dump of server-side certificate information:
------------------------------------------------------------------------
-------------
Cert Validation Code = 0
I also get this report:
1 Serial 07
1 Issuer Common Name Netgiro TEST Server CA
1 Issuer Country/Region SE
1 Issuer State/Province Some-State
1 Issuer Locality Stockholm
1 Issuer Organization Netgiro Systems AB
1 Issuer Valid From 20080325134914
1 Issuer Valid To 20110325134914
1 Subject Common Name 195.149.170.150
1 Subject Country/Region se
1 Subject State/Province Sweden
1 Subject Locality Stockholm
1 Subject Organization Netgiro Systems AB
1 Subject Org Unit Acceptance Test
2 Serial 03
2 Issuer Common Name Netgiro TEST Root CA
2 Issuer Country/Region SE
2 Issuer State/Province Some-State
2 Issuer Locality Stockholm
2 Issuer Organization Netgiro Systems AB
2 Issuer Valid From 20070927080738
2 Issuer Valid To 20270922080738
2 Subject Common Name Netgiro TEST Server CA
2 Subject Country/Region SE
2 Subject State/Province Some-State
2 Subject Locality Stockholm
2 Subject Organization Netgiro Systems AB
>From my unknowing eye, it seems we are getting certificate info, so I
don't know why the error, which is still invalid format.
The error appears to be GSKit error 404 or GSK_ERROR_BAD_CERTIFICATE,
which comes out of function gsk_secure_soc_init. Not having code for
the api, I can't determine the exact nature of the error (assuming I
could even make sense of the code).
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of
ftpapi-request@xxxxxxxxxxxxxxxxxxxxxx
Sent: Wednesday, June 30, 2010 1:29 PM
To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Subject: Ftpapi Digest, Vol 48, Issue 19
Send Ftpapi mailing list submissions to
ftpapi@xxxxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://www.scottklement.com/mailman/listinfo/ftpapi
or, via email, send a message with subject or body 'help' to
ftpapi-request@xxxxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
ftpapi-owner@xxxxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Ftpapi digest..."
Today's Topics:
1. Re: Baffled about Certificates with HTTP API (Scott Klement)
2. Re: Call to Microsoft .NET Framework executeXML (Scott Klement)
3. Re: HTTP Get w/ Additional Header Info (Scott Klement)
4. HTTPAPI novice having (CCSID-related?) trouble with EXAMPLE1
(Koester, Michael)
----------------------------------------------------------------------
Message: 1
Date: Wed, 30 Jun 2010 12:52:03 -0500
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Subject: Re: Baffled about Certificates with HTTP API
To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Message-ID: <4C2B8443.8020705@xxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Monte,
The error seems to imply that the SSL code in OS/400 doesn't recognize
the format of the certificate that's being sent by whomever you're
connecting to.
You stated that they provided a CA and Client certificate. You didn't
explain anything about installing the client cert... you only described
your instalation of the CA cert... which makes me wonder if perhaps you
skipped the client certificate part of the process?
Or maybe you didn't explain that part because you aren't having trouble?
not sure.
On 6/29/2010 11:19 AM, Monte T. Schmiege wrote:
>
> I am trying to establish communications with a banking
organization
> that requires ssl. They provided certificates, server ca and
client.
> I could not load the server ca without a root ca, which they then
> provided. I loaded the root ca and the server ca. After that, I
am
> guessing. I created a "client" application and associated it with
the
> two ca's in a trust list.
>
>
>
> My RPG program references the application in the HTTP_Init, which
> returns a non-negative return code (good).
>
>
>
> I issue a http_url_post, as I have in other applications.
>
>
>
> The error I get is "SSL Handshake: (GSKit) Certificate does not
have a
> valid format."
>
>
>
> I am clueless about how to make this work. I've searched the
Internet
> and forum and tried to glean from the examples and source code to
no
> avail.
>
>
>
> I would be happy for any assistance.
>
>
>
>
>
> Monte Schmiege
>
> Senior Web Analyst
>
> [1]mschmiege@xxxxxxxxxxxxx
>
> 262-626-8609
>
>
>
> Regal Ware, Inc.
>
> 1675 Reigle Drive
>
> Kewaskum, WI 53040
>
>
> References
>
> 1. mailto:mschmiege@xxxxxxxxxxxxx
>
>
>
>
> ----------------------------------------------------------------------
> - This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> ----------------------------------------------------------------------
> -
CONFIDENTIALITY NOTICE: This electronic message transmission contains information from this organization,
which may be confidential or privileged. The information is intended for the sole use of the individual or
entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution,
or use of the contents of this information is prohibited. If you have received this email in error, please
notify the sender immediately and delete the original message. Neither the sender nor the company for which
he or she works accepts any liability for any damage caused by any virus transmitted by this email.
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------