[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Server Name Indication?

From: Mike Krebs <mkrebs@xxxxxxxxxxxxxxxxxx>
To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Server Name Indication?
Date: Fri, 13 Dec 2013 17:52:10 -0600

At least in 7.1, it appears to be in GSKIT

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=%2Fapis%2Fgsk_attribute_set_buffer.htm

GSK_SSL_EXTN_SERVERNAME_REQUEST (230)
GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST (231)
GSK_SSL_EXTN_SERVERNAME_LIST (232)
GSK_SSL_EXTN_SERVERNAME_CRITICAL_LIST (233)




-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: Friday, December 13, 2013 3:18 PM
To: HTTPAPI and FTPAPI Projects
Subject: Re: Server Name Indication?

Hi Ted,

HTTPAPI does not have it's own code for SSL.   It merely calls the GSKit 
APIs for SSL that IBM provides with the operating system.

Server Name Indication (SNI) is a feature of SSL, not a feature of HTTP, 
so there's no way I can implement this.  IBM would have to do it.

-SK



On 12/13/2013 9:23 AM, ted_holt@xxxxxxxxxxxxxxxx wrote:
>     Does HTTPAPI support Server Name Indication?   I am having trouble
>     communicating with a Web service, and this is what they have found out
>     from our trouble-shooting.
>     The issue is something called ?SNI? or ?Server Name Indication?. We
>     have several API websites running off the same IP, each with its own
>     certificate. SNI forces the client to tell them what host they are
>     looking for so it knows which certificate to dish up. SNI is built in
>     to all modern day browsers and that?s why we don?t have any problems
>     from RestClient or any other testing facilities. If im correct, I don?t
>     think the utility you are using is implementing SNI and when it
>     contacts our server the server doesn?t know what its looking for.
>
>     You were able to make a call to the api through SSL during out test
>     yesterday because I disabled SNI, and just set one certificate for the
>     IP, but that renders all the other sites dead. SNI is a fairly common
>     thing, so the software you are using should have the ability to
>     implement it somewhere in there.
>     Ted Holt
>     Sr. Systems Analyst
>     The Taylor Group of Companies
>     650 N. Church Avenue
>     Louisville, MS 39339
>     Phone: (662) 773-9186
>     NOTICE:
>     This message (with any attachments) is confidential and may constitute
>     a privileged communication. If you have received this message in error,
>     please notify me immediately by telephone (662-773-3421) or by
>     electronic mail. Do not use or disclose this message in any way.
>     Thank you
>
>
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

References:
- Server Name Indication?
  - From: ted_holt
- Re: Server Name Indication?
  - From: Scott Klement

Prev by Date: Re: Certifying Autority certificate
Next by Date: HTTPAPI - http_post_stmf - HTTP/1.1 415 Unsupported Media Type
Previous by thread: Re: Server Name Indication?
Next by thread: Re: Server Name Indication?
Index(es):
- Date
- Thread