Brad-
Forgot to say thank you for the compliment. I like to think I am good, but then again in our business there is always something new that challenges us.
Have a good one,
Michael
Michael Mayer-Oakes
Data Scientist
500 Crocker Drive. Vacaville, CA. 95688
Phone: 707-452-2868 | www.mariani.com
Celebrating over 100 years of being your Global Supplier of Dried Fruits and Snacks.
Please consider the environment before printing this email.
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx <ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx>
On Behalf Of Brad Stone
Sent: Friday, June 19, 2020 12:52 PM
To: FTPAPI/HTTPAPI mailing list <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Ftpapi] Using HTTPAPI getting the error below
Well, you're better at that than IBM themselves are. Good work! And thanks for posting!
On Fri, Jun 19, 2020 at 2:46 PM Michael Mayer-Oakes <mmayer-oakes@xxxxxxxxxxx> wrote:
All-
Found a way to get support from IBM on this. Instead of reporting that HTTPAPI was having an issue I used the SQL UDF SYSTOOLS.HTTPPOSTCLOB and reported its error.
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzajq/rzajqudfhttppostclob.htm
Note these are on our V7R1, but couldn’t find the info on that version’s manual.
Here is what IBM sent at first, good information on tracing:
https://www.ibm.com/support/pages/mustgather-ibm-i-db2-systools-http-functions-httpgetclob-etc
THIS I think confirms what I had been suspecting, that we are not up to date on cipher suites and so we can no longer make a secure connection.
[IBM]
You can call some HTTP functions using the JDBC client program.
From QSH
$ java -Djavax.net.debug=ssl:handshake:verbose -cp /QIBM/UserData/OS400/SQLLib/Function/jar/SYSTOOLS/DB2RESTUDF.jar:/qibm/proddata/os400/jt400/lib/jt400.jar com.ibm.as400.access.jdbcClient.Main jdbc:as400:localhost
>!callmethod com.ibm.db2.rest.DB2UDFWrapper.httpGetClob('https://prod1.IPCharge2.net',null)
.. Debugging information displayed. -- then search the web for matching information
[IBM]
NOTE: !callmethod… must be typed as it with the “!” to work, not a java guy so I missed that at first. J
I substituted our problem webservice for the URL in the httpGetClob, just the full URL not the XML data, and presto got a dump on the screen of all java debug info, here is the important bit I think:
[snipit]
Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AE
S_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DE
S_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
[/snipit]
This combined with the SSL analysis from this website: https://www.ssllabs.com/ssltest/
[snipit]
Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS
256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS
128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS
256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS
128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS WEAK
128
[/snipit]
Leads me to conclude that the webservice no longer has compatible cipher suites for TLS v1.2 with our machine and so no SSL connection is possible.
Waiting for IBM to confirm.
Anyway I hope all this helps someone, and maybe even myself in 5 or 10 years when I come across this again.
Have a great weekend everyone!
Michael
P.S. Thanks to Scott for all his Open Source work!!
--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi
