[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HTTP / GSKit client certificate
Hi Ted,
It's very unusual for someone to use a client certificate with HTTPAPI,
but they do work, I tested all of that a few years ago, and made sure it
worked properly.
However, I have not used a client certificate where I left the key
encrypted so that a passphrase is necessary to use it. Since I have
never done that, unfortunately, I do not have an answer for you.
When I did it, I removed the passphrase using the openssl command-line
tool, and installed the client certificate (and it's private key) into
the *SYSTEM certificate store in the digital certificate manager. Then,
I created an application id in the DCM, and assigned the certificate to
it. Then, set HTTPAPI to use that application id by calling
https_init() prior to doing any SSL operations. This worked nicely for me.
I realize that this means anyone who has appropriate authority and
knowledge on your IBM i can also use this certificate and its key. This
wasn't a problem in my circumstance, since in the shop I worked at back
then, the only people with accounts were trusted employees, and the key
(which was used for accessing our bank) was not the only protection for
the account, after SSL was established, you still needed a password. So
we felt this was safe enough.
Of course, whether that's adequate for you is your call... but
unfortunately, I don't have any experience with keeping it encrypted and
providing the password. If that's required, you'll need to do your own
research to figure out what's needed. If you discover something that
works for you, I'd be glad to advise on how it may be added to HTTPAPI,
and to include it in future releases.
-SK
On 12/6/2015 3:53 AM, Ted Juggler wrote:
Hi
First of all thanks Scott for your fantastic work!!!.
I have a question regarding client certificate, I know it's not LIBHTTP
question but GSKit but
it's hard for me to understand how to make it work :(
I need to connect to external company server with TLS. The server
requires client certificate after successfull connection. In previous
posts I've found that I have to add it to the DCM however it requires
admin rights.
Since the certificate contains private keys I don't want to store in
any 'global' available places.
I've found in the examples an API (https_init) where I can pass my own
certficate store. Cool.
Here is where my troubles starts :(
I've been trying to pass the certificate as pkcs12 (pfx), mmm but how
to pass the password ??
( ok I can change COMMSSL4R and add some gski api to pass the password
- gsk_attribute_set_buffer with GSK_KEYRING_PW )
I tried to convert the pfx to kdb format with gsk8capicmd_64 cmd still
no joy
Here is outcome
HTTPAPI Ver 1.29 released 2015-02-23
OS/400 Ver V7R1M0
New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
https_init(): entered
QSSLPCL = *OPSYS
SSL version 2 support disabled
SSL version 3 support disabled
Old interface to TLS version 1.0 support enabled
TLS version 1.0 support enabled
TLS version 1.1 support enabled
TLS version 1.2 support enabled
-----------------------------------------------------------------------
--------------
Dump of local-side certificate information:
-----------------------------------------------------------------------
--------------
http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'00000136'
DNS default domain: xxxxxxx
DNS server found: yyyyyyy
DNS server found: zzzzz
Nagle's algorithm (TCP_NODELAY) disabled.
CONNECT xxxxxxxxxxxxxxxxx HTTP/1.1
Host: yyyyyyyyyyyyyyyyy HTTP/1.1
User-Agent: http-api/1.29
Proxy-Connection: keep-alive
recvresp(): entered
HTTP/1.1 200 Connection established
SetError() #13: HTTP/1.1 200 Connection established
recvresp(): end with 200
recvdoc parms: identity 0
header_load_cookies() entered
SNI hostname set to: xxxxxxxxxxxxxxxxxxxxxxxxxx
(GSKit) No certificate is available for SSL processing.
ssl_error(403): (GSKit) No certificate is available for SSL processing.
SetError() #30: SSL Handshake: (GSKit) No certificate is available for
SSL processing.
-----------------------------------------------------------------------
--------------
Dump of server-side certificate information:
-----------------------------------------------------------------------
--------------
Cert Validation Code = 0
(GSKit) An operation which is not valid for the current SSL session
state was attempted.
ssl_error(5): (GSKit) An operation which is not valid for the current
SSL session state was attempted.
(GSKit) An operation which is not valid for the current SSL session
state was attempted.
From the log I can see GSKit is unable to find any certifiates?!?!?
Any tip ?
Regards
Ted
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------