[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SNI



Thanks for the help Scott I appreciate you taking the time to have a look.

I've used DCM to create a certificate in the iseries and enabled TLS usage and assigned it to an application.  When I call https_init I'm passing the application name in as the first parm. This gives me a certificate dump in the log, which suggests I'm heading in the right direction.

I then get the 701 error, suggesting to me the GSKit is out of date as the attribute is unknown,  then the no ciphers message.

I do need to use SNI, which is adding a further complication for me.

I'll have a look at the link you supplied as soon as I'm back in work on Monday.

Again, thanks for the help, your website has been an invaluable source of info.

John.


Sent from my iPhone

> On 12 Mar 2016, at 07:48, Scott Klement <sk@xxxxxxxxxxxxxxxx> wrote:
>
> There really isn't anything to "set up" for SNI.  It just adds the server name to the TLS handshake so that a server that supports multiple domains knows which one you are trying to get the TLS/SSL certificate for.
>
> Based on the fact that you say QSSLPCL won't let you configure TLS 1.1 or higher, I'd guess that you have an out of date GSKit and SSL engine in the OS.  The invalid attribute errors mean that HTTPAPI is sending the attributes for SNI, but that GSKit does not recognize the SNI options.  This also points to an outdated GSKit, from before SNI was added.
>
> I hope you understand that SNI is not normally needed for SSL/TLS.  It is a relatively new extension to SSL/TLS that is not widely used.  I hope you're not assuming that you need it just because you see it in the HTTPAPI debug log?  Because I'm logging that information for all SSL/TLS requests, whether they need SNI or not.
>
> Anyway, I would suggest that you install the latest PTFs for SSL/TLS support to get the up-to-date SSL/TLS features.
>
> The log you posted in the other thread shows the error as being no compatible cipher suite.  So that would not be related to SNI at all. (Though, of course, once you fix that error, then it's possible the next thing you'd get from the server would be a rejection due to SNI missing?  If you know SNI is required, which again would be unusual, then it may very well be the next error once you fix your cipher suites.)
>
> Anyway... install the latest PTFS, and verify that you aren't disabling the cipher suites you need.  More info here:
> http://www.ibmsystemsmag.com/ibmi/administrator/networks/i72-ssl-enhancements/
>
> Hope that helps
>
>
>> On 3/11/2016 10:12 AM, John Long wrote:
>>    Hi
>>
>>
>>    I'm trying to use SNI in the HTTPAPI. I've debugged the code through
>>    and I can see if a host name is passed its trying to set attribute
>>    GSK_SSL_EXTN_SERVERNAME_REQUEST  (230)
>>
>>
>>    When I do this I receive a 701 error, invalid attribute,
>>
>>
>>    I'm guessing either something isn't setup correctly or I'm running an
>>    old version of the GSKit
>>
>>
>>    I'm running V7R1 TR7
>>
>>
>>    How do I check the version of the GSKit?
>>
>>
>>    Are there any PTF's I need to apply?
>>
>>
>>    Can anyone point me to a useful URL that explain what to check and how
>>    to upgrade?
>>
>>
>>    Thanks in advance
>>
>>
>>
>>    John
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
_____________________________________________________________ T.J. MORRIS LTD-CONFIDENTIALITY NOTICE This e-mail and its contents, together with any attachments, are confidential to the sender and the intended recipient(s). If you are not the intended recipient or agent responsible for delivery to the intended recipient any unauthorised storage, use, disclosure, copying, distribution or dissemination of this e-mail or any part thereof is strictly prohibited and may be illegal. If you receive this e-mail in error please advise us by telephone on +44(0)151 530 2920 and delete and destroy this e-mail and any attachments and any copies thereof from your system immediately. Any views or opinions expressed in this e-mail are solely those of the sender and do not necessarily represent those of T J Morris Ltd. Although any attachments to this e-mail have been checked for viruses we make no representation and give no warranty as to the absence of viruses and you should scan this e-mail and attachments for viruses. ___________________________________________________________
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------