Re: HTTP / GSKit client certificate

[Scott Klement <sk@xxxxxxxxxxxxxxxx>]

Hi Ted,

It's very unusual for someone to use a client certificate with HTTPAPI, 
but they do work, I tested all of that a few years ago, and made sure it 
worked properly.

However, I have not used a client certificate where I left the key 
encrypted so that a passphrase is necessary to use it. Since I have 
never done that, unfortunately, I do not have an answer for you.

When I did it, I removed the passphrase using the openssl command-line 
tool, and installed the client certificate (and it's private key) into 
the *SYSTEM certificate store in the digital certificate manager.  Then, 
I created an application id in the DCM, and assigned the certificate to 
it.  Then, set HTTPAPI to use that application id by calling 
https_init() prior to doing any SSL operations.  This worked nicely for me.

I realize that this means anyone who has appropriate authority and 
knowledge on your IBM i can also use this certificate and its key.  This 
wasn't a problem in my circumstance, since in the shop I worked at back 
then, the only people with accounts were trusted employees, and the key 
(which was used for accessing our bank) was not the only protection for 
the account, after SSL was established, you still needed a password.  So 
we felt this was safe enough.

Of course, whether that's adequate for you is your call...  but 
unfortunately, I don't have any experience with keeping it encrypted and 
providing the password.  If that's required, you'll need to do your own 
research to figure out what's needed.  If you discover something that 
works for you, I'd be glad to advise on how it may be added to HTTPAPI, 
and to include it in future releases.

-SK

On 12/6/2015 3:53 AM, Ted Juggler wrote:
>     Hi
>     First of all thanks Scott for your fantastic work!!!.
>     I have a question regarding client certificate, I know it's not LIBHTTP
>     question but GSKit but
>     it's hard for me to understand how to make it work :(
>     I need to connect to external company server with TLS. The server
>     requires client certificate after successfull connection. In previous
>     posts I've found that I have to add it to the DCM however it requires
>     admin rights.
>     Since the certificate contains private keys I don't want to store in
>     any 'global' available places.
>     I've found in the examples an API (https_init) where I can pass my own
>     certficate store. Cool.
>     Here is where my troubles starts  :(
>     I've been trying to pass the certificate as pkcs12 (pfx), mmm but how
>     to pass the password ??
>     ( ok I can change COMMSSL4R and add some gski api to pass the password
>     - gsk_attribute_set_buffer with GSK_KEYRING_PW )
>     I tried to convert the pfx to kdb format with gsk8capicmd_64 cmd still
>     no joy
>     Here is outcome
>     HTTPAPI Ver 1.29 released 2015-02-23
>     OS/400 Ver V7R1M0
>     New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
>     https_init(): entered
>     QSSLPCL = *OPSYS
>     SSL version 2 support disabled
>     SSL version 3 support disabled
>     Old interface to TLS version 1.0 support enabled
>     TLS version 1.0 support enabled
>     TLS version 1.1 support enabled
>     TLS version 1.2 support enabled
>     -----------------------------------------------------------------------
>     --------------
>     Dump of local-side certificate information:
>     -----------------------------------------------------------------------
>     --------------
>     http_persist_open(): entered
>     http_long_ParseURL(): entered
>     DNS resolver retrans: 2
>     DNS resolver retry  : 2
>     DNS resolver options: x'00000136'
>     DNS default domain: xxxxxxx
>     DNS server found: yyyyyyy
>     DNS server found: zzzzz
>     Nagle's algorithm (TCP_NODELAY) disabled.
>     CONNECT xxxxxxxxxxxxxxxxx HTTP/1.1
>     Host: yyyyyyyyyyyyyyyyy HTTP/1.1
>     User-Agent: http-api/1.29
>     Proxy-Connection: keep-alive
>     recvresp(): entered
>     HTTP/1.1 200 Connection established
>     SetError() #13: HTTP/1.1 200 Connection established
>     recvresp(): end with 200
>     recvdoc parms: identity 0
>     header_load_cookies() entered
>     SNI hostname set to: xxxxxxxxxxxxxxxxxxxxxxxxxx
>     (GSKit) No certificate is available for SSL processing.
>     ssl_error(403): (GSKit) No certificate is available for SSL processing.
>     SetError() #30: SSL Handshake: (GSKit) No certificate is available for
>     SSL processing.
>     -----------------------------------------------------------------------
>     --------------
>     Dump of server-side certificate information:
>     -----------------------------------------------------------------------
>     --------------
>     Cert Validation Code = 0
>     (GSKit) An operation which is not valid for the current SSL session
>     state was attempted.
>     ssl_error(5): (GSKit) An operation which is not valid for the current
>     SSL session state was attempted.
>     (GSKit) An operation which is not valid for the current SSL session
>     state was attempted.
>     From the log I can see GSKit is unable to find any certifiates?!?!?
>     Any tip ?
>      Regards
>       Ted

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------