[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Example23
Danny,
Server Name Indication (SNI) is not available on V5R4. Therefore, you
will get the "identifier not valid" messages. However, this is not a
fatal error, it will continue without SNI support, which is only used
rarely.
The problem you should be looking into, however, is the "Connection was
reset" errors. These indicate that you are connecting to anothr
computer, but it is disconnecting you by sending back the "reset" flag.
(A flag used under the covers to kill sessions that are deemed to be in
error.)
As for EXAMPLE23, it needs to be updated. It is an old example that
points to my former employer, and I doubt very much they still have my
SSL test program online. The purpose of EXAMPLE23 is to show you how to
do much stricter and more secure validity checking in SSL, and it seems
very ironic that you'd attempt to do that on V5R4, which doesn't support
current versions of SSL.
As your log notes, V5R4 only supports TLS 1.0 and older. TLS 1.1 and
1.2 are not available on that release. This is a problem because many
sites do not support TLS 1.0 any more since it is no longer deemed
secure. You will find that many sites cannot be used with SSL in V5R4
for this reason. So it seems ironic to me that you'd try to include
more security above and beyond the standard SSL checking.
It could be that simply updating to a system that supports TLS 1.1/1.2
would solve your problem? I don't know, I'm only guessing here. I
would suggest that you try this from a system with TLS 1.1/1.2 (to your
real server, not www.klements.com) and see if that solves the problem.
If it does, you'll know that you need to update the original one where
HTTPAPI is running to fix the problem. If you don't have access to a
newer system, let me know what the site is, and I'll try it myself.
-SK
On 2/15/2016 3:59 PM, Hayes, Daniel wrote:
Scott,
Trying to get our TLS (SSL) to function so I can do secured Web Service
calls.
I downloaded your new version and recompiled all, when I ran example23,
it did not work and I got the following in the
Log file in IFS:
OS/400 Ver V5R4M0
New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
http_long_ParseURL(): entered
http_url_get(): entered
http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'00000136'
DNS default domain: CCX.CARECENTRIX.COM
DNS server found: 10.230.102.37
DNS server found: 10.230.102.160
DNS server found: 10.230.200.36
https_init(): entered
QSSLPCL =
SSL version 2 support disabled
SSL version 3 support disabled
Old interface to TLS version 1.0 support enabled
Support for TLS 1.0 unavailable.
Support for TLS 1.1 unavailable.
Support for TLS 1.2 unavailable.
-----------------------------------------------------------------------
--------------
Dump of local-side certificate information:
-----------------------------------------------------------------------
--------------
Nagle's algorithm (TCP_NODELAY) disabled.
(GSKit) Identifier value is not valid.
ssl_error(701): (GSKit) Identifier value is not valid.
SNI hostname error: (GSKit) Identifier value is not valid.
NOTE: SNI errors are not usually fatal.
(GSKit) I/O: A connection with a remote socket was reset by that
socket.
ssl_error(406): (GSKit) I/O: A connection with a remote socket was
reset by that socket.
SetError() #30: SSL Handshake: (GSKit) I/O: A connection with a remote
socket was reset by that
I am very new to this, but to me it appears I have multiple issues.
I am not sure which way to go.
TIA,
Daniel E. `Danny' Hayes
Senior JD Edwards Developer
813 901-2150 x133154
cid:image001.png@01CFCC0B.D6D16F30
9119 Corporate Lake Drive | Tampa Florida 33634 |
[1]www.carecentrix.com
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------