Re: [Ftpapi] ssl_error(405): (GSKit) Certificate type is not supported.

[Scott Klement <sk@xxxxxxxxxxxxxxxx>]

Hello,

HTTPAPI is calling the gsk_secure_soc_init() function provided by the IBM i operating system.  It is returning error code GSK_ERROR_UNSUPPORTED_CERTIFICATE_TYPE.

You can learn more about this function and error code here:

https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/apis/gsk_secure_soc_init.htm

-SK

On 9/11/2020 4:06 AM, Magne Kofoed wrote:

Hi,

on OS 7.4 we get this error "(GSKit) Certificate type is not supported" when IBMi is consuming webservices on prod servers (linux) .

When we test it by consuming webservices on test servers - it's ok on the same IBMi.

What gives this error on GSKIT?  Is it a problem with DCM? 

A cipher problem?

Seems like it's using TLSV1.2 on both test and prod servers.

I could not find TLSv1.3 in https_init.

Does  HTTPAPI support TLSv1.3? 

 

From debug log:

HTTPAPI Ver 1.41 released 2020-06-05                                          
NTLM Ver 1.4.0 released 2014-12-22                                            
OS/400 Ver V7R4M0                                                              
                                                                               
New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819. ProtLoc=0        
File CCSID changed to 1208                                                    
http_url_get(): entered                                                        
http_persist_open(): entered                                                  
http_long_ParseURL(): entered                                                  
DNS resolver retrans: 2                                                        
DNS resolver retry  : 3                                                        
DNS resolver options: x'00000136'                                              
DNS default domain: xxxxxx.xxxx.no                                          
DNS server found: 999.999.249.11                                              
DNS server found: 999.999.249.11                                                
DNS server found: 999.999.249.12                                                
https_init(): entered                                                          
QSSLPCL = *OPSYS                                                                
SSL version 2 support disabled                                                  
SSL version 3 support disabled                                                  
Old interface to TLS version 1.0 support enabled                                
TLS version 1.0 support enabled                                                
TLS version 1.1 support enabled                                                
TLS version 1.2 support enabled                                                
initializing GSK environment                                                    
GSK Environment now available                                                  
--------------------------------------------------------------------------------
Dump of local-side certificate information:                                    
--------------------------------------------------------------------------------
Nagle's algorithm (TCP_NODELAY) disabled.                                
SNI hostname set to: nnnnnnn.trusted.nnn.no                    
(GSKit) Certificate type is not supported.                                
ssl_error(405): (GSKit) Certificate type is not supported.                
SetError()  30: SSL Handshake: (GSKit) Certificate type is not supported. 

Best regards

Magne Kofoed

-- 
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi