[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ftpapi] [EXTERNAL] SOAP SSL



From the log file:

 

SSL version 2 support disabled
SSL version 3 support disabled
Old interface to TLS version 1.0 support enabled
Support for TLS 1.0 unavailable.
Support for TLS 1.1 unavailable.
Support for TLS 1.2 unavailable.

 

The only enabled protocol seems to be TLS 1.0, which is considered week by todays standards. Many web servers do not allow the use of this old insecure protocol. It may be that your SoapUI makes use of a newer and more secure protocol like TLS1.1 or TLS1.2.

 

Unfortunately IBM I version 6.1 is not capable of using other than the insecure TLS1.0 protocol according to this paper:

https://www.ibm.com/support/pages/configuring-your-ibm-i-system-secure-sockets-layer-ssltransport-layer-security-tls-protocols-and-cipher-suites

 

If the web service owner has hardened its security in such a way that only newer TLS versions are allowed, you might not be able to access the web service from that old IBM i version, I’m afraid.

 

Fra: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx <ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx> På vegne af max.ino@xxxxxxxxx
Sendt: 13. februar 2020 16:24
Til: FTPAPI/HTTPAPI mailing list <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Emne: Re: [Ftpapi] [EXTERNAL] SOAP SSL

 

I try %addr(SOAP:*DATA) but it does not work..

in the log file there is: HTTP/1.1 400 Bad Request

but if i try with SOAPUI it it works

other tips?

 

Il 12 febbraio 2020 alle 20.17 "Julius, Kaj" <Kaj.Julius@xxxxxx> ha scritto:

I wonder at the two bytes added to the address of SOAP. You are working on an IBM i 6.1 system and I believe a variable length field’s length can be either two bytes or four bytes starting from version 6.1.

The max length changed from 65535 to 16773104 characters. The number of bytes used for the length is determined by the defined max length.

 

You didn’t show how long the defined length of the SOAP variable is. Maybe it’s more than 65535?

 

If so you may inadvertently send rubbish from the two first bytes of the SOAP variable to the server by only adding two bytes to the address of the variable.

 

At any rate you should probably better change %addr(SOAP) + 2 to %addr(SOAP:*DATA) which will automatically point to the start of the data.

 

Just an unlikely theory…

 

The more likely cause is the lack of TLS support that the debug file alludes to.

 

 

Fra: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx <ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx> På vegne af max.ino@xxxxxxxxx
Sendt: 12. februar 2020 18:12
Til: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Emne: [EXTERNAL] [Ftpapi] SOAP SSL

 

Hi, all

first of all i would like to thank Scott and all the members of the group for the help you give to "clumsy" people like me .. 

:-)
        
I ask you for another help
        

 

URL: https://sinpolapp.regione.umbria.it/Pull.svc/ws


I want to use the LOGIN method to get a token
        
It's requested username and password

What am I doing wrong?

ssl_error(701) is blocking?
           



this is my RPG



http_debug(*ON);

http_XmlStripCRLF(*ON);

SOAP =
'<soap:Envelope +
xmlns:soap="http://www.w3.org/2003/05/soap-envelope" +
xmlns:tem="http://tempuri.org/">+
<soap:Header xmlns:soap="http://www.w3.org/2005/08/adressing">+
<wsa:Action>http://tempuri.org/PullService/Login</wsa:Action>+
</soap:Header>+
<soap:Body>+
<tem:Login>+
<tem:username>username</tem:username>+
<tem:password>pw</tem:password>+
</tem:Login>+
</soap:Body>+
</soap:Envelope>';

rc = http_url_post_xml(
'https://sinpolapp.regione.umbria.it/Pull.svc/ws'
: %addr(SOAP) + 2
: %len(SOAP)
: *NULL
: %paddr(Incoming)
: %addr(token)
: HTTP_TIMEOUT
: *omit
: 'application/soap+xml; charset=UTF-8; +
action="" href="http://tempuri.org/PullService/Login">http://tempuri.org/PullService/Login"'
);
           

 

This is the debug file:

 

HTTPAPI Ver 1.40 released 2019-08-15
NTLM Ver 1.4.0 released 2014-12-22
OS/400 Ver V6R1M0

 

New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0
http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'00000136'
DNS default domain: xxxxxxxxx
DNS server found: 10.0.0.101
DNS server found: 10.0.0.102
https_init(): entered
QSSLPCL = *OPSYS
SSL version 2 support disabled
SSL version 3 support disabled
Old interface to TLS version 1.0 support enabled
Support for TLS 1.0 unavailable.
Support for TLS 1.1 unavailable.
Support for TLS 1.2 unavailable.
-------------------------------------------------------------------------------------
Dump of local-side certificate information:
-------------------------------------------------------------------------------------
Nagle's algorithm (TCP_NODELAY) disabled.
(GSKit) Il valore dell'identificatore non è valido.
ssl_error(701): (GSKit) Il valore dell'identificatore non è valido.
SNI hostname error: (GSKit) Il valore dell'identificatore non è valido.
NOTE: SNI errors are not usually fatal.
-------------------------------------------------------------------------------------
Dump of server-side certificate information:
-------------------------------------------------------------------------------------
Cert Validation Code = 6000
-----BEGIN CERTIFICATE-----
MIIGbDCCBVSgAwIBAgIQA3mBpps1Hb1Opku8hhKDFDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xOTA2MjQwMDAwMDBaFw0yMDA0MjkxMjAwMDBa
MGgxCzAJBgNVBAYTAklUMRAwDgYDVQQIEwdQZXJ1Z2lhMRAwDgYDVQQHEwdQZXJ1
Z2lhMRcwFQYDVQQKEw5SZWdpb25lIFVtYnJpYTEcMBoGA1UEAwwTKi5yZWdpb25l
LnVtYnJpYS5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVgB76c
UGlEPDvrJiUJssMdk6JU3IedpYfNFvILJiKggKl9BPXVxnOZpy9J4WR2K+yUSQwP
Nzug6YjBOntr9GBicQbgtBVr8u0wfOCCuX0qdG7iD0H0HrtztmT69Qv1ddhGggxr
EwfJDPSc1r0ighOI55e73QHszDf9kC3XxGtHKLCCc9MylLeLOyzDzURILMf3cqoU
VWuw8c245/k5b/QY5BDA/qalqv1WDlLlOp/TTL52rTCSTtkZqbG5tOXrunJSySpz
RKXuAXd99FlulNAavXnFX/qU8B7CieJeHqo6QT0VxFNnnKut8MJy+vIJUPyWahu7
9FHbHinQrYzEIeUCAwEAAaOCAwgwggMEMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZ
ZWRiohK4WXI7MB0GA1UdDgQWBBSkM0RqPqztk2rz+CH2fI+JzWdf5zAxBgNVHREE
KjAoghMqLnJlZ2lvbmUudW1icmlhLml0ghFyZWdpb25lLnVtYnJpYS5pdDAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1Ud
HwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNl
cnZlci1nNi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
LWhhLXNlcnZlci1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIw
gYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
cnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8E
AjAAMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcA7ku9t3XOYLrhQmkfq+GeZqMP
fl+wctiDAMR7iXqo/csAAAFrifQOfwAABAMASDBGAiEAr6gcuoq3MhfyZbfl/m9+
Gk9UrmmwsTKqDunk19+S2A8CIQD9nkNolAqXBU30usygD4bqXSW5vGgxyVRBqc+Y
SMuFYgB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABa4n0CrAA
AAQDAEcwRQIhAPqmRE9kQPQnXQYURymkEXLDY8fueu7mMHcoKwmbuzJOAiAk0Oen
f9PXd6OAiTQuI2FQOljxMNt+RPTnh7/ntCdf8jANBgkqhkiG9w0BAQsFAAOCAQEA
SebxaIU5h5I7fNGJZ7QVj1XY+fMOwCWYIT7JSxlb0MSxt6VusavaYmFEv5EZygFY
411k43rkGWaIsz6Ft1elOh8GEGTCSwLMudNYnCPZngQPJ1bcf1pd6AvzDc0UjoPk
ZJHWjd8XvcHNLUW1MyFt6xmETtkb/s2aC7dSRR569/YzIb3wU6WvhT6Km5PRweVu
Te/w99XbcGJXXokhohDxjn03TEB65y+I4icuYYIEGs/y+d1J5Vz30Dw14/Na68GJ
sBi6JTF3iWZ4BhQ1dvVnWbPwHm5l+5qxByflsWw8fXgWS8ptM+vEIMP2J/gVI9nr
SK3k8//rnW5dZIq8MWbk3w==
-----END CERTIFICATE-----
Serial Number: 03:79:81:A6:9B:35:1D:BD:4E:A6:4B:BC:86:12:83:14
Common Name: *.regione.umbria.it
Country: IT
State/Province: Perugia
Locality: Perugia
Org Unit: Regione Umbria
Issuer CN: DigiCert SHA2 High Assurance Server CA
Issuer Country: US
Issuer Org: DigiCert Inc
Issuer Org Unit: www.digicert.com
Version: 03
not before: 20190624020000
not after: 20200429140000
pub key alg: 1.2.840.113549.1.1.11

 

Protocol Used: TLS Version 1.0
http_persist_post(): entered
http_persist_req(POST) entered.
http_long_ParseURL(): entered
http_long_ParseURL(): entered
do_oper(POST): entered
There are 0 cookies in the cache
POST /Pull.svc/ws HTTP/1.1
Host: sinpolapp.regione.umbria.it
User-Agent: http-api/1.39
Content-Type: application/soap+xml; charset=UTF-8; action="" href="http://tempuri.org/PullService/Login">http://tempuri.org/PullService/Login"
Content-Length: 382

 


senddoc(): entered
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/"><soap:Header xmlns:soap="http://www.w3.org/2005/08/adressing"><wsa:Action>http://tempuri.org/PullService/Login</wsa:Action></soap:Header><soap:Body><tem:Login><tem:username>username</tem:username><tem:password>pw</tem:password></tem:Login></soap:Body></soap:Envelope>
recvresp(): entered
HTTP/1.1 400 Bad Request
Date: Wed, 12 Feb 2020 17:04:36 GMT
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=63072000; includeSubdomains;
Referrer-Policy: same-origin
Feature-Policy: notifications 'self';
Cache-Control: private
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 0
Content-Security-Policy:
Connection: close

 


SetError() £13: HTTP/1.1 400 Bad Request
recvresp(): end with 400
recvdoc parms: identity 0
header_load_cookies() entered
recvdoc(): entered
SetError() £0:
recvdoc(): Receiving 0 bytes.
recvdoc(): Nothing to receive, exiting...
SetError() £13: HTTP/1.1 400 Bad Request
http_close(): entered

 

 

--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi


 

-- 
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi