[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is HTTPS working? Server cert signed by GoDaddy, but they are not listed as a CA in my certificate store....
- From: Scott Klement <klemscot@xxxxxxxxxxxx>
- To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
- Subject: Re: Why is HTTPS working? Server cert signed by GoDaddy, but they are not listed as a CA in my certificate store....
- Date: Fri, 11 May 2012 12:15:48 -0500
hi Charles,
You need to code:
callp https_strict(*on)
By default, HTTPAPI passes GSK_SERVER_AUTH_PASSTHRU to the SSL support
in the operating system. This tells the system that it must
successfully create an SSL connection to the destination host, and must
successfully establish secure encryption, etc. But, it does not
validate the server certificate.
This setting is the default because IBM includes only a small number of
CA certificates with the system, resulting in a high volume of sites
that would fail certificate checking. Someone new to HTTPAPI and SSL
would, naturally, blame HTTPAPI for this, saying their browser can
connect fine, but HTTPAPI cannot. (It skips other validations as well,
such as validating the expiration date on the certificates.)
The https_strict(*on) will force validation of server certificates.
There are also certificate parsing xprocs that can be registered to
allow you to do even greater validation, by letting you write your own
logic that checks certificate fields, etc, according to any custom rules
you want to provide. This is rarely used, but it's there if you want to
enable some additional checking.
-SK
On 5/11/2012 7:40 AM, Charles Wilt wrote:
> Ok I thought I understood how this worked...
>
> But we are currently successfully making HTTPS requests using HTTPAPI
> to a server whose certificate is signed by GoDaddy....
>
> However, when I go into DCM and list out the CA certs in the *SYSTEM
> certificate store, I don't see one for GoDaddy...
>
> So why is SSL working? WHat am I mis-understanding?
>
> Thanks!
> Charles
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------