[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SNI
John,
There really isn't anything to "set up" for SNI. It just adds the
server name to the TLS handshake so that a server that supports multiple
domains knows which one you are trying to get the TLS/SSL certificate for.
Based on the fact that you say QSSLPCL won't let you configure TLS 1.1
or higher, I'd guess that you have an out of date GSKit and SSL engine
in the OS. The invalid attribute errors mean that HTTPAPI is sending
the attributes for SNI, but that GSKit does not recognize the SNI
options. This also points to an outdated GSKit, from before SNI was added.
I hope you understand that SNI is not normally needed for SSL/TLS. It
is a relatively new extension to SSL/TLS that is not widely used. I
hope you're not assuming that you need it just because you see it in the
HTTPAPI debug log? Because I'm logging that information for all SSL/TLS
requests, whether they need SNI or not.
Anyway, I would suggest that you install the latest PTFs for SSL/TLS
support to get the up-to-date SSL/TLS features.
The log you posted in the other thread shows the error as being no
compatible cipher suite. So that would not be related to SNI at all.
(Though, of course, once you fix that error, then it's possible the next
thing you'd get from the server would be a rejection due to SNI
missing? If you know SNI is required, which again would be unusual,
then it may very well be the next error once you fix your cipher suites.)
Anyway... install the latest PTFS, and verify that you aren't disabling
the cipher suites you need. More info here:
http://www.ibmsystemsmag.com/ibmi/administrator/networks/i72-ssl-enhancements/
Hope that helps
On 3/11/2016 10:12 AM, John Long wrote:
Hi
I'm trying to use SNI in the HTTPAPI. I've debugged the code through
and I can see if a host name is passed its trying to set attribute
GSK_SSL_EXTN_SERVERNAME_REQUEST (230)
When I do this I receive a 701 error, invalid attribute,
I'm guessing either something isn't setup correctly or I'm running an
old version of the GSKit
I'm running V7R1 TR7
How do I check the version of the GSKit?
Are there any PTF's I need to apply?
Can anyone point me to a useful URL that explain what to check and how
to upgrade?
Thanks in advance
John
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------