[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Server Name Indication?
I have learned a good bit about Server Name Indication (SNI), but not
as much as I need to know.
To make HTTPAPI work with SNI, I patched procedure https_init in module
COMMSSLR4. I hard-coded a call to gsk_attribute_set_buffer.
eval rc = gsk_attribute_set_buffer(
wkEnvh: 231:
ServerName: 19)
if rc <> GSK_OK
callp SetError(HTTP_GSKKEYF:
'SNI error: ' +
ssl_error(rc))
callp https_cleanup
return -1
endif
I used the value 231 in the second parm. Constant
GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST would need to be defined in
GSKSSL_H.
It is possible that 230 would also work. If so, then constant
GSK_SSL_EXTN_SERVERNAME_REQUEST would also need to be added to
GSKSSL_H.
There was an error in one of IBMs programs that prevented me from
connecting successfully to the web service. IBM fixed the program with
PTF MF57749. TR7 is prerequisite.
As I understand it, SNI is relatively new and growing. People like the
idea of getting by with fewer IP addresses. If so, the need to support
SNI isnt going to go away. I dont know what the permanent solution
is. Maybe https_init needs an optional fifth parameter for the host
name. If this parm is not blank, then https_init calls
gsk_attribute_set_buffer. But then I wonder if it should use 230 or
231.
I am told that modern browsers support SNI, but I cant find any
information on how they do so. Do they automatically send the
attribute for SNI? Do they try to connect without SNI, and if that
doesnt work, retry with the SNI attribute? Id love to know. It seems
to me that whatever they do, HTTPAPI needs to do the same.
On Fri, Dec 13, 2013 at 5:52 PM, Mike Krebs
<[1]mkrebs@xxxxxxxxxxxxxxxxxx> wrote:
At least in 7.1, it appears to be in GSKIT
[2]http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=
%2Fapis%2Fgsk_attribute_set_buffer.htm
GSK_SSL_EXTN_SERVERNAME_REQUEST (230)
GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST (231)
GSK_SSL_EXTN_SERVERNAME_LIST (232)
GSK_SSL_EXTN_SERVERNAME_CRITICAL_LIST (233)
-----Original Message-----
From: [3]ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:[4]ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott
Klement
Sent: Friday, December 13, 2013 3:18 PM
To: HTTPAPI and FTPAPI Projects
Subject: Re: Server Name Indication?
Hi Ted,
HTTPAPI does not have it's own code for SSL. It merely calls the
GSKit
APIs for SSL that IBM provides with the operating system.
Server Name Indication (SNI) is a feature of SSL, not a feature of
HTTP,
so there's no way I can implement this. IBM would have to do it.
-SK
On 12/13/2013 9:23 AM, [5]ted_holt@xxxxxxxxxxxxxxxx wrote:
> Does HTTPAPI support Server Name Indication? I am having
trouble
> communicating with a Web service, and this is what they have
found out
> from our trouble-shooting.
> The issue is something called ?SNI? or ?Server Name
Indication?. We
> have several API websites running off the same IP, each with its
own
> certificate. SNI forces the client to tell them what host they
are
> looking for so it knows which certificate to dish up. SNI is
built in
> to all modern day browsers and that?s why we don?t have any
problems
> from RestClient or any other testing facilities. If im
correct, I don?t
> think the utility you are using is implementing SNI and when it
> contacts our server the server doesn?t know what its looking
for.
>
> You were able to make a call to the api through SSL during out
test
> yesterday because I disabled SNI, and just set one certificate
for the
> IP, but that renders all the other sites dead. SNI is a fairly
common
> thing, so the software you are using should have the ability to
> implement it somewhere in there.
> Ted Holt
> Sr. Systems Analyst
> The Taylor Group of Companies
> 650 N. Church Avenue
> Louisville, MS 39339
> Phone: [6](662) 773-9186
> NOTICE:
> This message (with any attachments) is confidential and may
constitute
> a privileged communication. If you have received this message in
error,
> please notify me immediately by telephone [7](662-773-3421) or by
> electronic mail. Do not use or disclose this message in any way.
> Thank you
>
>
>
>
-----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> [8]http://www.scottklement.com/mailman/listinfo/ftpapi
>
--------------------------------------------------------------------
---
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
[9]http://www.scottklement.com/mailman/listinfo/ftpapi
--------------------------------------------------------------------
---
--
------------------------------------------------------
Ted Holt
Senior Technical Editor, Four Hundred Guru
==============================================
Sign up for free IT-related newsletters at [10]www.itjungle.com!
==============================================
References
1. mailto:mkrebs@xxxxxxxxxxxxxxxxxx
2. http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=%2Fapis%2Fgsk_attribute_set_buffer.htm
3. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
4. mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
5. mailto:ted_holt@xxxxxxxxxxxxxxxx
6. tel:%28662%29%20773-9186
7. tel:%28662-773-3421
8. http://www.scottklement.com/mailman/listinfo/ftpapi
9. http://www.scottklement.com/mailman/listinfo/ftpapi
10. http://www.itjungle.com/
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------