Re: [Ftpapi] Using HTTPAPI getting the error below

From: Scott Klement <sk@xxxxxxxxxxxxxxxx>

Subject: Re: [Ftpapi] Using HTTPAPI getting the error below

Date: Wed, 17 Jun 2020 14:04:53 -0500

Hi Michael,

The error message you're receiving is GSK_ERROR_BAD_PEER and is returned by the Global Secure Toolkit (GSKit) function of the IBM i operating system. You can learn a bit more about it, here:

In my experience this can occur for two reasons (but I'm not claiming to know everything!)

1) The system you're communicating with is using an SSL/TLS version that is not understood by the IBM i, or a cipher that's not understood by the IBM i, or some other cryptographic detail like that.

This seems extremely likely to me given that you're running HTTPAPI 1.24 (from 2012) on V7R1 (an obsolete version of the OS that hasn't had SSL/TLS updates in many years.)

This would also explain why its inconsistent. Some of the servers you communicate with might support old versions of SSL, but some may have disabled them for security reasons. (Most of the old ones are no longer considered secure.)

If you update HTTPAPI to the current version and your IBM i PTFs are up-to-date, you'll have a few more options for cryptographic support that may help. But, there is still much, much better support in the newer releases of IBM i, so if you upgrade HTTPAPI to the current version and IBM i to the current version and latest PTFs, you'll have the best chance of this working consistently.

2) I also see this when the connection is made to a non-SSL/TLS server, or the data is somehow being corrupted on the network. In my experience, though, data is ALMOST never corrupted on the network. And connecting to an non-SSL port would be completely consistent, it'd do the same thing every time. So this seems much less likely than #1, above.

-SK

On 6/17/2020 11:04 AM, Michael Mayer-Oakes wrote:

The interesting thing is that I can run the same process with the same data and sometimes I won’t get this error. It is like the firewall is causing this error or some other part of network carrying the data. Anyone got any ideas?

Thanks!!

____________________________________________

HTTPAPI Ver 1.24 released 2012-01-23

OS/400 Ver V7R1M0

http_persist_open(): entered

http_long_ParseURL(): entered

DNS resolver retrans: 2

DNS resolver retry : 2

DNS resolver options: x'00000136'

DNS default domain: XXXXXX

DNS server found: 10.x.x.x

(GSKit) Peer not recognized or badly formatted message received.

ssl_error(415): (GSKit) Peer not recognized or badly formatted message received.

SetError() #30: SSL Handshake: (GSKit) Peer not recognized or badly formatted message received.

-------------------------------------------------------------------------------------

Dump of server-side certificate information:

-------------------------------------------------------------------------------------

Cert Validation Code = 0

(GSKit) An operation which is not valid for the current SSL session state was attempted.

ssl_error(5): (GSKit) An operation which is not valid for the current SSL session state was attempted.

(GSKit) An operation which is not valid for the current SSL session state was attempted.

-- _______________________________________________ Ftpapi mailing list Ftpapi@xxxxxxxxxxxxxxxxxxxxxx http://scottklement.com/mailman/listinfo/ftpapi