[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
HTTP / GSKit client certificate
Hi
First of all thanks Scott for your fantastic work!!!.
I have a question regarding client certificate, I know it's not LIBHTTP
question but GSKit but
it's hard for me to understand how to make it work :(
I need to connect to external company server with TLS. The server
requires client certificate after successfull connection. In previous
posts I've found that I have to add it to the DCM however it requires
admin rights.
Since the certificate contains private keys I don't want to store in
any 'global' available places.
I've found in the examples an API (https_init) where I can pass my own
certficate store. Cool.
Here is where my troubles starts :(
I've been trying to pass the certificate as pkcs12 (pfx), mmm but how
to pass the password ??
( ok I can change COMMSSL4R and add some gski api to pass the password
- gsk_attribute_set_buffer with GSK_KEYRING_PW )
I tried to convert the pfx to kdb format with gsk8capicmd_64 cmd still
no joy
Here is outcome
HTTPAPI Ver 1.29 released 2015-02-23
OS/400 Ver V7R1M0
New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
https_init(): entered
QSSLPCL = *OPSYS
SSL version 2 support disabled
SSL version 3 support disabled
Old interface to TLS version 1.0 support enabled
TLS version 1.0 support enabled
TLS version 1.1 support enabled
TLS version 1.2 support enabled
-----------------------------------------------------------------------
--------------
Dump of local-side certificate information:
-----------------------------------------------------------------------
--------------
http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'00000136'
DNS default domain: xxxxxxx
DNS server found: yyyyyyy
DNS server found: zzzzz
Nagle's algorithm (TCP_NODELAY) disabled.
CONNECT xxxxxxxxxxxxxxxxx HTTP/1.1
Host: yyyyyyyyyyyyyyyyy HTTP/1.1
User-Agent: http-api/1.29
Proxy-Connection: keep-alive
recvresp(): entered
HTTP/1.1 200 Connection established
SetError() #13: HTTP/1.1 200 Connection established
recvresp(): end with 200
recvdoc parms: identity 0
header_load_cookies() entered
SNI hostname set to: xxxxxxxxxxxxxxxxxxxxxxxxxx
(GSKit) No certificate is available for SSL processing.
ssl_error(403): (GSKit) No certificate is available for SSL processing.
SetError() #30: SSL Handshake: (GSKit) No certificate is available for
SSL processing.
-----------------------------------------------------------------------
--------------
Dump of server-side certificate information:
-----------------------------------------------------------------------
--------------
Cert Validation Code = 0
(GSKit) An operation which is not valid for the current SSL session
state was attempted.
ssl_error(5): (GSKit) An operation which is not valid for the current
SSL session state was attempted.
(GSKit) An operation which is not valid for the current SSL session
state was attempted.
From the log I can see GSKit is unable to find any certifiates?!?!?
Any tip ?
Regards
Ted
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------