[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SNI



John,

There really isn't anything to "set up" for SNI. It just adds the server name to the TLS handshake so that a server that supports multiple domains knows which one you are trying to get the TLS/SSL certificate for.

Based on the fact that you say QSSLPCL won't let you configure TLS 1.1 or higher, I'd guess that you have an out of date GSKit and SSL engine in the OS. The invalid attribute errors mean that HTTPAPI is sending the attributes for SNI, but that GSKit does not recognize the SNI options. This also points to an outdated GSKit, from before SNI was added.

I hope you understand that SNI is not normally needed for SSL/TLS. It is a relatively new extension to SSL/TLS that is not widely used. I hope you're not assuming that you need it just because you see it in the HTTPAPI debug log? Because I'm logging that information for all SSL/TLS requests, whether they need SNI or not.

Anyway, I would suggest that you install the latest PTFs for SSL/TLS support to get the up-to-date SSL/TLS features.

The log you posted in the other thread shows the error as being no compatible cipher suite. So that would not be related to SNI at all. (Though, of course, once you fix that error, then it's possible the next thing you'd get from the server would be a rejection due to SNI missing? If you know SNI is required, which again would be unusual, then it may very well be the next error once you fix your cipher suites.)

Anyway... install the latest PTFS, and verify that you aren't disabling the cipher suites you need. More info here:
http://www.ibmsystemsmag.com/ibmi/administrator/networks/i72-ssl-enhancements/

Hope that helps


On 3/11/2016 10:12 AM, John Long wrote:
    Hi


    I'm trying to use SNI in the HTTPAPI. I've debugged the code through
    and I can see if a host name is passed its trying to set attribute
    GSK_SSL_EXTN_SERVERNAME_REQUEST  (230)


    When I do this I receive a 701 error, invalid attribute,


    I'm guessing either something isn't setup correctly or I'm running an
    old version of the GSKit


    I'm running V7R1 TR7


    How do I check the version of the GSKit?


    Are there any PTF's I need to apply?


    Can anyone point me to a useful URL that explain what to check and how
    to upgrade?


    Thanks in advance



    John



-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------