1.  Home
  2. LINUX5250
  3. November 2001

RE: SSL Client Certs Added


On Wed, 7 Nov 2001, Sean Porterfield wrote:

> Scott,
>
> Did you test with a client cert but without the client cert required on the
> AS/400?  When I tried mine, it did nothing.  I used the "verify CA" and it
> worked fine.  Just when I added the client cert parameter did it fail.

It you use a trace file, it should be putting diagnostic info into that
file.  (If you can't figure it out, send me a copy of the trace file)

I did test with the client cert, both with it required on the AS/400 and
without it required on the AS/400.   It worked in both cases...  When the
AS/400 didn't require the client cert, tn5250 didn't send it to the
AS/400, so it didn't actually have any affect -- the session just worked.

Also, it may help to note that certificates are "signed" by certificate
authorities.  Your AS/400, or your OpenSSL, may be rejecting the client
certificate that's assigned if it doesn't recognize the certificate
authority that signed it.   In that case, you'll need to use the
ssl_ca_file= option to tn5250 to also supply the certificate authority's
certificate.   I don't know if this is what's happening, but... I thought
it'd be worth mentioning.

> On another note, I had to follow your directions for creating a client cert
> even though I had already created one previously...  I couldn't figure out
> how to get my other one off the AS/400!  (I have it installed on MSIE at
> work, but that didn't seem to be a compatible format.)  No big deal really.

I tried to make it work with MSIE, but MSIE kept giving me an error
message so I gave up :(   Probably, my copy of MSIE is screwed, I should
probably play with that some more.   Netscape seemed a better choice
anyway, since it's available for Linux.

>
> I can't turn on the "require certificate" on the AS/400 yet because I have
> too many real users who don't have client certs.  I couldn't get DCM to
> create a cert except for the user who is signed on, and I don't want all of
> my users using DCM!  (<sarcasm>Thanks IBM</sarcasm>)
>

I wrote a proxy that listens on a different port on the AS/400 that
requires a client certificate, then proxies all of the data to port 23,
so that I could allow both the "client authenticated" and "normal SSL"
client's at the same time.  :)   It's written in RPG IV, I could send
you a copy if you're interested.  (it requires V4R5 & certain PTFs)

I did my testing with the "real telnet server" with client authentication
on the weekends when nobody was using the system.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.