[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Protocol TLS to SSLv3

From: "Smith, Sherry K." <sksmith@xxxxxxxxxxxxxxxxx>
To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Protocol TLS to SSLv3
Date: Fri, 14 Dec 2012 14:43:25 +0000

Hi,

Thanks for your response-- now I know how the port is set!  
However, I am only using the URL 'https://Illinois.edu' as an example.  The actual URL I am using is a bit more complex - where I am actually using variables to plug into the URL string to consume a secure site thru the University of Illinois. 
So in trying to isolate the problem, I stripped the URL down to the basic secured connection.  At the top-most layer, my program using HTTPAPI cannot connect to any of the secured University websites.   

The following secure websites work, because they use the TSL protocol.

https://www.nsa.gov - TSL 1.1
https://www.google.com - TSL 1.1
https://www.fbi.gov - TSL 1.0
https://apps.uillinois.edu - TLS 1.0

To test my theory that I have to use SSLv3 to connect to the University, I connected thru a web browser just fine.  I then went in and 'unchecked' the internet options under security for using 'SSL 2.0 and SSL 3.0' to force the browser to only use a versions of TLS for the connection.  It failed.  So in order to connect from my ISeries to the secured University websites I need to consume, I need to have HTTPAPI use only SSLv3.  Does anyone know how to do this?

Thanks!!

-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mike Krebs
Sent: Thursday, December 13, 2012 6:19 PM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Protocol TLS to SSLv3

When you set https: in the URL, you are automatically using SSL which is port 443 by default.

If you want to use "regular", just use http: which is port 80. 

Since you have it set to the home page of the University of Illinois, it is not needed. When you are actually accessing the web service, often you will need SSL. Not so much in "let's see what we can download".

-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Smith, Sherry K.
Sent: Thursday, December 13, 2012 4:55 PM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Protocol TLS to SSLv3

Hi Scott,

I can indeed connect to sites by turning SSL off (using http:) without receiving any error messages, so according to your response I am passing the wrong port number.  I wasn't aware that I was passing a port number at all.
Below is a snip of my program that is causing the error:

URL = 'https://illinois.edu';
 // The IFS variable tells HTTPAPI where to put it on your local computer.
IFS = '/tmp/GroupId.txt';     
//*********************************************************       
// Now call HTTPAPI's "GET" routine.  Pass the above              
//  variables as parameters.  It'll download it to the IFS!       
//*********************************************************       
rc = http_url_get(URL: IFS);               
//********************************************************* 
//*  Error handling...                  
//********************************************************* 
// Check for Errors                      
if rc <> 1;                             
  http_crash();                         
  msg = http_error();                   
else;                                   
  msg = 'URL Get was successful!';      
endif;                                  
dsply msg;                              
msg = *blanks;        

Thanks for all your help!!
Sherry                  

-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: Thursday, December 13, 2012 10:43 AM
To: HTTPAPI and FTPAPI Projects
Subject: Re: Protocol TLS to SSLv3

Hi Sherry,

HTTPAPI will work with SSLv3 out-of-the-box.  There is no need to set any special options, it will "just work".

The most common cause of the error message you've reported is when the HTTP server is using plain-text (non-SSL) communications, and HTTPAPI is 
using SSL.   In this case, HTTPAPI sends a request to negotiate SSL, and 
gets back a response of unencrypted HTTP traffic (which is not a valid SSL message, and therefore you get the "badly formatted message" error.

If I'm correct and this is happening to you:

1) Perhaps you are connecting to the wrong port?   HTTP requires 
separate ports for SSL and non-SSL connections.  Perhaps you've selected the non-SSL port by mistake?

2) Perhaps the server is misconfigured, and is using non-SSL communications on the SSL port?

3) Perhaps you have a proxy/firewall in place that is responding instead of the actual server?  In this case, HTTPAPI needs to be configured for your proxy with the http_setproxy() and http_proxy_setauth() routines as appropriate for your environment.

An easy way to determine if this is happening, is to turn off SSL in HTTPAPI by changing the URL to "http" instead of "https" and see if it works and you get back a response, while keeping the same port number.  
This will tell you that the server is indeed communicating in non-SSL, and may make it clear that you are passing the wrong port number.

If this is not the case, however -- then you will need to provide me with information about how to reproduce the problem.  If this problem is, indeed, a bug in HTTPAPI, I cannot fix it unless I can reproduce it on my own system.

-SK

On 12/12/2012 4:48 PM, Smith, Sherry K. wrote:
>     This is what I am trying to do:
>
>     I have a URL, that when called, simply produces a sequential number.
>     This number will be used as a `Group Id'.
>
>     My program will then take this group id number and associate a
>     tab-delimited file (that I upload) with it for further processing by
>     another business group in the organization.  The problem I am running
>     into is our ISeries is trying to use TLS protocol, and the website URL
>     I am trying to consume is using SSLv3.  The two are not playing nice
>     with each other, and I am getting the following message: `"SSL
>     Handshake: (GSKit) Peer not recognized or badly formatted message
>     received."
>
>     It appears COMMSSLR4 may have what I need to change the protocol, but I
>     have no idea how to use it.  Has anyone ran into this problem or can
>     give me some guidance on changing the ISeries protocol to SSLv3?
>
>
>     Thanks,
>
>     Sherry Smith
>
>
>
> ----------------------------------------------------------------------
> - This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> ----------------------------------------------------------------------
> -

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References:
- Protocol TLS to SSLv3
  - From: Smith, Sherry K.
- Re: Protocol TLS to SSLv3
  - From: Scott Klement
- RE: Protocol TLS to SSLv3
  - From: Smith, Sherry K.
- RE: Protocol TLS to SSLv3
  - From: Mike Krebs

Prev by Date: Re: CPF9897 HTTP/1.1 500 Internal Server Error Causes Hard Halt of Program
Next by Date: RE: CPF9897 HTTP/1.1 500 Internal Server Error Causes Hard Halt of Program
Previous by thread: RE: Protocol TLS to SSLv3
Next by thread: http_debug_file and http_XmlStripCRLF not working?
Index(es):
- Date
- Thread