[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: HTTPAPI: (GSKit) I/O: Unknown system state.
Since the certs are both 2048 or less then it is not the same issue we
were having. I would recommend opening a case with IBM support. That
is how I got my answer since HTTPAPI isn't the program throwing the
error it is the GSKit.
-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote: -----
To: "HTTPAPI and FTPAPI Projects" <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
From: "Linning Mike-c11488" <Mike.Linning@xxxxxxxxxxxx>
Sent by: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
Date: 08/09/2010 01:05PM
Subject: RE: HTTPAPI: (GSKit) I/O: Unknown system state.
That's what I thought and it shows RSA (1024 bits) for my server
certificates and RSA(2048 bits) for my CA Certifiate...so I should
be
under this 2048 issue? No?
-ml
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[[1]mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of
JHill@xxxxxxxxxxxx
Sent: Monday, August 09, 2010 11:49 AM
To: HTTPAPI and FTPAPI Projects
Subject: RE: HTTPAPI: (GSKit) I/O: Unknown system state.
You can use openssl if you like, or you can use your favorite web
browser, got to the URL you are trying to access using HTTPAPI
and
take a look at the Public Key field of the server certificate.
-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote: -----
To: "HTTPAPI and FTPAPI Projects"
<ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
From: "Linning Mike-c11488" <Mike.Linning@xxxxxxxxxxxx>
Sent by: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
Date: 08/09/2010 11:05AM
Subject: RE: HTTPAPI: (GSKit) I/O: Unknown system state.
I think our bits are 1024 or 2048...how do I validate?
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[[1][2]mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf
Of
JHill@xxxxxxxxxxxx
Sent: Monday, August 09, 2010 8:11 AM
To: HTTPAPI and FTPAPI Projects
Subject: RE: HTTPAPI: (GSKit) I/O: Unknown system state.
[1]-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote: -----
To: <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
From: "Linning Mike-c11488" <Mike.Linning@xxxxxxxxxxxx>
Sent by: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
Date: 08/06/2010 04:10PM
Subject: RE: HTTPAPI: (GSKit) I/O: Unknown system state.
> Been using this utility for several years now without
incident,
but
> suddenly this week we're getting errors when it appears to
receive
the
> CA certificate information. This is from the
httpapi_debug.txt
log.
>
> HTTPAPI Ver 1.20 released 2007-06-04
>
> New iconv() objects set, PostRem=819. PostLoc=0.
ProtRem=819.
ProtLoc
> http_url_get(): entered
> http_persist_open(): entered
> http_long_ParseURL(): entered
> https_init(): entered
>
-------------------------------------------------------------------
--
> Dump of local-side certificate information:
>
-------------------------------------------------------------------
--
> (GSKit) I/O: Unknown system state.
> ssl_error(406): (GSKit) I/O: Unknown system state.
> SetError() #30: SSL Handshake: (GSKit) I/O: Unknown system
state.
> Cert Validation Code = 0
>
> Additional Message Information
>
> Message ID . . . . . . : CPA0701 Severity . . . .
. .
. :
> 99
> Message type . . . . . : Inquiry
> Date sent . . . . . . : 08/06/10 Time sent . . .
. .
. :
> 11:33:18
>
> Message . . . . : CPF9897 received by CUCL0111 at 600.
(C D
I R)
> Cause . . . . . : Control language (CL) program CUCL0111
in
library
> QGPL
> detected an error at statement number 600. Message text
for
CPF9897
> is: SSL
> Handshake: (GSKit) I/O: Unknown system state.
> Recovery . . . : This inquiry message can be avoided by
changing
> the
> program. Monitor for the error (MONMSG command) and
perform
error
> recovery
> within the program. To continue, choose a reply value.
> Possible choices for replying to message . . . . . . . . .
. .
. .
.
> . :
> C -- Cancel the CL program.
> D -- Dump the CL program variables and cancel the CL
program.
> I -- Ignore the failing command.
>
> More...
> Reply . . . : C
>
> Recently we renewed a Server certificate which is issued by
the
CA
> which might have caused it, but I don't think so as we
never
had to
do
> anything on the Iseries Client User whenever we renewed
certificates
> annually for all environments (Dev, QA, Prod).
>
> I'm thinking something's amiss in the IBM layers?
>
> Any clues?
>
> -mike
>
-------------------------------------------------------------------
---
-
This is the FTPAPI mailing list. To unsubscribe, please go
to:
[2][2][3]http://www.scottklement.com/mailman/listinfo/ftpapi
-------------------------------------------------------------------
---
-
Mike,
We had this same issue at the end of May. Check the key
length of
the
site you are trying to access, if it is higher than 2048 bits
then
IBM
iseries GSKit will not support it or any of those bigger key
lengths.
We got around the issue by proxying the request through a
proxy
server
with a 2048 bit key. Here are the emails I received from IBM
support
on the issue. They say there may be a fix in a PTF but I have
not
tested it.
John Hill
Web Developer
Email 1
--------------------------------------
Hello John,
Not good news on this end. The server certificate running is
4096
bit,
which isn't support on System i. The CAs we installed are
2048
bit
so
they
imported fine. It's actually unique that a server
certificate is
created
and based on CAs using a smaller bit string. Not use why
they
went
with
4096. performance is not as good, it's not really more
secure
than
2048,
and it not strategic (4096 isn't really the next step as
things
are
changing to maintain performance).
I would alert the WENS team as to the situation. I realize
your
the
client
but I'd let them know that they changed to a bit size on
their
server
certificate that isn't supported on your system.
FYI. Since the industry is going a different direction in
the
future
support for 4096 hasn't added in V6R1 or V7R1 either, so I
can't
tell
you
this is support in a later release either.
(Embedded image moved to file: pic26747.gif)
Thanks!
Spectacular accomplishments require spectacular preparation.
T.J. Covalt, Software Engineer, IBM Rochester support Center
PMI Certified Project Manager
Phone: (507) 286-6488
Fax: (507) 253-5124
E-mail: [3]covalt@xxxxxxxxxx
Email 2
-----------------------------------
Hello John.
It sounds like The development team is working on an issue
with
the
SSL
handshake. Here are the PTFs being released for the
supported
releases.
V5R4 - MF50358
V5R4M5 - MF50349
Install the appropriate PTF and let me know how it works for
you.
Thanks!
Spectacular accomplishments require spectacular preparation.
T.J. Covalt, Software Engineer, IBM Rochester support Center
PMI Certified Project Manager
Phone: (507) 286-6488
Fax: (507) 253-5124
E-mail: covalt@xxxxxxxxxx
References
1. [3][4]mailto:-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
2. [4][5]http://www.scottklement.com/mailman/listinfo/ftpapi
3. [5][6]mailto:covalt@xxxxxxxxxx
-------------------------------------------------------------------
----
This is the FTPAPI mailing list. To unsubscribe, please go to:
[6][7]http://www.scottklement.com/mailman/listinfo/ftpapi
-------------------------------------------------------------------
----
-------------------------------------------------------------------
----
This is the FTPAPI mailing list. To unsubscribe, please go to:
[7][8]http://www.scottklement.com/mailman/listinfo/ftpapi
-------------------------------------------------------------------
----
References
1. [9]mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
2. [10]http://www.scottklement.com/mailman/listinfo/ftpapi
3. [11]mailto:-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
4. [12]http://www.scottklement.com/mailman/listinfo/ftpapi
5. [13]mailto:covalt@xxxxxxxxxx
6. [14]http://www.scottklement.com/mailman/listinfo/ftpapi
7. [15]http://www.scottklement.com/mailman/listinfo/ftpapi
-------------------------------------------------------------------
----
This is the FTPAPI mailing list. To unsubscribe, please go to:
[16]http://www.scottklement.com/mailman/listinfo/ftpapi
-------------------------------------------------------------------
----
-------------------------------------------------------------------
----
This is the FTPAPI mailing list. To unsubscribe, please go to:
[17]http://www.scottklement.com/mailman/listinfo/ftpapi
-------------------------------------------------------------------
----
References
1. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
2. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
3. http://www.scottklement.com/mailman/listinfo/ftpapi
4. mailto:-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
5. http://www.scottklement.com/mailman/listinfo/ftpapi
6. mailto:covalt@xxxxxxxxxx
7. http://www.scottklement.com/mailman/listinfo/ftpapi
8. http://www.scottklement.com/mailman/listinfo/ftpapi
9. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
10. http://www.scottklement.com/mailman/listinfo/ftpapi
11. mailto:-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
12. http://www.scottklement.com/mailman/listinfo/ftpapi
13. mailto:covalt@xxxxxxxxxx
14. http://www.scottklement.com/mailman/listinfo/ftpapi
15. http://www.scottklement.com/mailman/listinfo/ftpapi
16. http://www.scottklement.com/mailman/listinfo/ftpapi
17. http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------