1.  Home
  2. MIDRANGE-L
  3. August 2001

Re: SSL Certificate Failures

I just ran a small test and I'm able to connect to an SSL 3.0 server
just fine.  Is there a problem with SSL 2.0 certificate support on
OS/400 v5r1?  I couldn't find a PTF but maybe I just missed it.

Gary

Gary L Peskin wrote:
> 
> I have a Java client application trying to open a secure socket to an
> SSL 2.0 web server.  I'm unable to get a successful handshake with the
> server even though I can connect fine from my browser.
> 
> In java, the relevant part of the stack trace looks like this:
> 
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>     java/lang/Throwable.<init>(Ljava/lang/String;)V+4 Throwable.java:90)
> 
>com/ibm/as400/ibmonly/net/ssl/SSLSessionImpl.getPeerCertificateChain()[Ljavax/security/cert/X509Certificate;+47
> (SSLSessionImpl.java:247)
>     <my application follows>
> 
> I have DCM installed as well as AC3 and I have created the *SYSTEM
> certificate store.  I haven't set up any kind of client application
> under the DCM "Manage Applications" section but I can't see why that
> should be necessary.  Is it?  I just want my client to trust all CAs
> that are enabled.
> 
> All of the supplied CA certificates are marked enabled and one of them
> is the parent of the certificate that signed the server's certificate.
> 
> I did a TRCCNN and got the following messages:
> 
> 1.  From AS/400 client to server:  CLIENT-HELLO.  This looks fine.
> 2.  From server to AS/400:  SERVER-HELLO.  This also looks fine.  It is
> an SSL 2.0 SERVER-HELLO.
> 3.  From AS/400 client to server:  The following message is sent (in
> hex):
> 
>       8003 000004
> 
> I looked this up and it indicates an SSL_PE_BAD_CERTIFICATE error as
> defined by the SSL 2.0 protocol.
> 
> Can I find out why the AS/400 thinks the certificate is bad?  There is
> some mention in the information center of a flight recorder for SSL but
> I don't know how to access it or interpret it.  Will it show me exactly
> why the server's certificate is not being accepted?
> 
> Anyone ideas on what I can do to find out exactly why I'm unable to
> complete the SSL handshake would be appreciated.
> 
> Thanks,
> Gary
> _______________________________________________
> This is Midrange Systems Technical Discussion (MIDRANGE-L)
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.