1.  Home
  2. RPG400-L
  3. October 2005

Re: Accepting an expired Certificate.

Scott (and also Buck),
 
You are the men!
Thanks for the detailed directions!!
- I've made sure that the PTF's where installed.
- Changed the Copy member and program accordingly.
- Compiled the Module, updated the server-program.
- Tested it.......and without any complaint the certificate was accepted.
 
For now this is sufficient and have made the sun shine for a lot of involved 
persons (Coincidentally the sun shines here this morning).
As a result you will experience a sudden rise in sausage sales in certain parts 
of Europe!
I had already spotted them on Curaçao (the better place) and have tried the 
summer sausage.
 

I will however make this kind of settings flexible/variable because this should 
be an exception and not common practice.
 
Again, Thanks a lot.
Kind regards,
Eduard Sluis.

Scott Klement <sk@xxxxxxxxxxxxxxxx> wrote:
Sender: Scott Klement 


Eduard,

In V5R3, IBM added a new capability (that I've never used) to the GSKit API 
that allows you to accept a certificate that's expired. They added PTFs to 
enable this support in V5R1 or V5R2. This is documented in APAR SE07971. 
Here's a link to that APAR:

http://tinyurl.com/8hykw

Make sure you have those PTFs applied to your system if you're not running V5R3 
yet.

And here's a link to the documentation for the GSKit where it provides some 
info about what this option does:

http://tinyurl.com/dan9n

To install this in HTTPAPI, you'll need to change the source code. Start by 
adding the following definitions to the GSKSSL_H source member:

D GSK_SERVER_AUTH_TYPE...
D C CONST(410)

D GSK_SERVER_AUTH_FULL...
D C CONST(534)
D GSK_SERVER_AUTH_PASSTHRU...
D C CONST(535)

Then, you'll need to edit the COMMSSLR4 source member.and insert the code to 
set these options. Search for GSK_CLIENT_AUTH in the COMMSSLR4 member. Right 
after that group of code, but before the code for setting the SSL protocol 
versions, insert the following:

C* Allow passthru of the server's info:
c eval rc = gsk_attribute_set_enum(wkEnvh:
c GSK_SERVER_AUTH_TYPE:
c GSK_SERVER_AUTH_PASSTHRU)
c if rc <> GSK_OK
c callp SetError(HTTP_GSKATYP: 'Setting ' +
c 'auth type: ' + ssl_error(rc))
c return -1
c endif

Then recompile HTTPAPI and try it. Here's where I can't help you -- I have no 
way to test this code. I do not have access to a server with an expired 
certificate. The documentation (that I linked to, above) says that it'll allow 
an expired certificate, but I can't test it.

---
Scott Klement http://www.scottklement.com



On Thu, 6 Oct 2005, Eduard Sluis wrote:

> Dear All,
> I need help urgently!
> 
> We are accessing a webservice using HTTPAPI as a client.
> We are connecting to is using HTTPS.
> The Webservice is using an certificate that is expired.
> As a result we are getting the error:
> SSL Handshake: (GSKit) Validity time period of the certificate is expired.
> which is indeed correct.
> The problem however is that we need to accept this certificate and build the 
> SSL connection on it. The system using this webservice must go in production. 
> Other production systems are also using this same webservice which prohibit 
> any change on the certificate for a foreseeable time.
> Those other sytems (non iSeries) are able to work with the expired 
> certificate.
> 
> Is there anyway to make the iSeries accept this certificate?
> I've found possibilities to use ExitPrograms and am investigating this but I 
> have *NONE experience with that.
> Does any one know if it is possible and if Yes how to do it?
> I would hate to make the iSeries the showstopper for this!
> 
> Kind regards,
> Eduard Sluis
> 
> -- 
> This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list
> To post a message email: RPG400-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/rpg400-l
> or email: RPG400-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/rpg400-l.
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.