[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: HTTPAPI: (GSKit) I/O: Unknown system state.



   [1]-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote: -----
   To: <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
   From: "Linning Mike-c11488" <Mike.Linning@xxxxxxxxxxxx>
   Sent by: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
   Date: 08/06/2010 04:10PM
   Subject: RE: HTTPAPI: (GSKit) I/O: Unknown system state.
   > Been using this utility for several years now without incident, but
   > suddenly this week we're getting errors when it appears to receive
   the
   > CA certificate information.  This is from the httpapi_debug.txt log.
   >
   > HTTPAPI Ver 1.20 released 2007-06-04
   >
   > New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819.
   ProtLoc
   > http_url_get(): entered
   > http_persist_open(): entered
   > http_long_ParseURL(): entered
   > https_init(): entered
   >
   ---------------------------------------------------------------------
   > Dump of local-side certificate information:
   >
   ---------------------------------------------------------------------
   > (GSKit) I/O: Unknown system state.
   > ssl_error(406): (GSKit) I/O: Unknown system state.
   > SetError() #30: SSL Handshake: (GSKit) I/O: Unknown system state.
   > Cert Validation Code = 0
   >
   >                          Additional Message Information
   >
   >  Message ID . . . . . . :   CPA0701       Severity . . . . . . . :
   > 99
   >  Message type . . . . . :   Inquiry
   >  Date sent  . . . . . . :   08/06/10      Time sent  . . . . . . :
   > 11:33:18
   >
   >  Message . . . . :   CPF9897 received by CUCL0111 at 600. (C D I R)
   >  Cause . . . . . :   Control language (CL) program CUCL0111 in
   library
   > QGPL
   >    detected an error at statement number 600. Message text for
   CPF9897
   > is: SSL
   >    Handshake: (GSKit) I/O: Unknown system state.
   >  Recovery  . . . :   This inquiry message can be avoided by changing
   > the
   >    program. Monitor for the error (MONMSG command) and perform error
   > recovery
   >    within the program. To continue, choose a reply value.
   >  Possible choices for replying to message . . . . . . . . . . . . .
   .
   > . :
   >    C -- Cancel the CL program.
   >    D -- Dump the CL program variables and cancel the CL program.
   >    I -- Ignore the failing command.
   >
   > More...
   >  Reply  . . . :   C
   >
   > Recently we renewed a Server certificate which is issued by the CA
   > which might have caused it, but I don't think so as we never had to
   do
   > anything on the Iseries Client User whenever we renewed certificates
   > annually for all environments (Dev, QA, Prod).
   >
   > I'm thinking something's amiss in the IBM layers?
   >
   > Any clues?
   >
   > -mike
   >
   ----------------------------------------------------------------------
   -
   This is the FTPAPI mailing list.  To unsubscribe, please go to:
   [2]http://www.scottklement.com/mailman/listinfo/ftpapi
   ----------------------------------------------------------------------
   -
   Mike,

   We had this same issue at the end of May. Check the key length of the
   site you are trying to access, if it is higher than 2048 bits then IBM
   iseries GSKit will not support it or any of those bigger key lengths.
   We got around the issue by proxying the request through a proxy server
   with a 2048 bit key. Here are the emails I received from IBM support
   on the issue. They say there may be a fix in a PTF but I have not
   tested it.

   John Hill
   Web Developer

   Email 1
   --------------------------------------
   Hello John,
   Not good news on this end.  The server certificate running is 4096
   bit,
   which isn't support on System i.  The CAs we installed are 2048 bit so
   they
   imported fine.  It's actually unique that a server certificate is
   created
   and based on CAs using a smaller bit string.  Not use why they went
   with
   4096.  performance is not as good, it's not really more secure than
   2048,
   and it not strategic (4096 isn't really the next step as things are
   changing to maintain performance).
   I would alert the WENS team as to the situation.  I realize your the
   client
   but I'd let them know that they changed to a bit size on their server
   certificate that isn't supported on your system.
   FYI.  Since the industry is going a different direction in the future
   support for 4096 hasn't added in V6R1 or V7R1 either, so I can't tell
   you
   this is support in a later release either.
   (Embedded image moved to file: pic26747.gif)
   Thanks!
   Spectacular accomplishments require spectacular preparation.
   T.J. Covalt, Software Engineer, IBM Rochester support Center
   PMI Certified Project Manager
   Phone: (507) 286-6488
   Fax:      (507) 253-5124
   E-mail: [3]covalt@xxxxxxxxxx

   Email 2
   -----------------------------------
   Hello John.
   It sounds like The development team is working on an issue with the
   SSL
   handshake.  Here are the PTFs being released for the supported
   releases.
   V5R4 -  MF50358
   V5R4M5 - MF50349
   Install the appropriate PTF and let me know how it works for you.
   Thanks!
   Spectacular accomplishments require spectacular preparation.
   T.J. Covalt, Software Engineer, IBM Rochester support Center
   PMI Certified Project Manager
   Phone: (507) 286-6488
   Fax:      (507) 253-5124
   E-mail: covalt@xxxxxxxxxx

References

   1. mailto:-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
   2. http://www.scottklement.com/mailman/listinfo/ftpapi
   3. mailto:covalt@xxxxxxxxxx
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------