[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: HTTPAPI: (GSKit) I/O: Unknown system state.
I think our bits are 1024 or 2048...how do I validate?
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of
JHill@xxxxxxxxxxxx
Sent: Monday, August 09, 2010 8:11 AM
To: HTTPAPI and FTPAPI Projects
Subject: RE: HTTPAPI: (GSKit) I/O: Unknown system state.
[1]-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote: -----
To: <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
From: "Linning Mike-c11488" <Mike.Linning@xxxxxxxxxxxx>
Sent by: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
Date: 08/06/2010 04:10PM
Subject: RE: HTTPAPI: (GSKit) I/O: Unknown system state.
> Been using this utility for several years now without incident, but
> suddenly this week we're getting errors when it appears to receive
the
> CA certificate information. This is from the httpapi_debug.txt
log.
>
> HTTPAPI Ver 1.20 released 2007-06-04
>
> New iconv() objects set, PostRem=819. PostLoc=0. ProtRem=819.
ProtLoc
> http_url_get(): entered
> http_persist_open(): entered
> http_long_ParseURL(): entered
> https_init(): entered
>
---------------------------------------------------------------------
> Dump of local-side certificate information:
>
---------------------------------------------------------------------
> (GSKit) I/O: Unknown system state.
> ssl_error(406): (GSKit) I/O: Unknown system state.
> SetError() #30: SSL Handshake: (GSKit) I/O: Unknown system state.
> Cert Validation Code = 0
>
> Additional Message Information
>
> Message ID . . . . . . : CPA0701 Severity . . . . . . . :
> 99
> Message type . . . . . : Inquiry
> Date sent . . . . . . : 08/06/10 Time sent . . . . . . :
> 11:33:18
>
> Message . . . . : CPF9897 received by CUCL0111 at 600. (C D I R)
> Cause . . . . . : Control language (CL) program CUCL0111 in
library
> QGPL
> detected an error at statement number 600. Message text for
CPF9897
> is: SSL
> Handshake: (GSKit) I/O: Unknown system state.
> Recovery . . . : This inquiry message can be avoided by
changing
> the
> program. Monitor for the error (MONMSG command) and perform
error
> recovery
> within the program. To continue, choose a reply value.
> Possible choices for replying to message . . . . . . . . . . . . .
.
> . :
> C -- Cancel the CL program.
> D -- Dump the CL program variables and cancel the CL program.
> I -- Ignore the failing command.
>
> More...
> Reply . . . : C
>
> Recently we renewed a Server certificate which is issued by the CA
> which might have caused it, but I don't think so as we never had to
do
> anything on the Iseries Client User whenever we renewed
certificates
> annually for all environments (Dev, QA, Prod).
>
> I'm thinking something's amiss in the IBM layers?
>
> Any clues?
>
> -mike
>
----------------------------------------------------------------------
-
This is the FTPAPI mailing list. To unsubscribe, please go to:
[2]http://www.scottklement.com/mailman/listinfo/ftpapi
----------------------------------------------------------------------
-
Mike,
We had this same issue at the end of May. Check the key length of the
site you are trying to access, if it is higher than 2048 bits then
IBM
iseries GSKit will not support it or any of those bigger key lengths.
We got around the issue by proxying the request through a proxy
server
with a 2048 bit key. Here are the emails I received from IBM support
on the issue. They say there may be a fix in a PTF but I have not
tested it.
John Hill
Web Developer
Email 1
--------------------------------------
Hello John,
Not good news on this end. The server certificate running is 4096
bit,
which isn't support on System i. The CAs we installed are 2048 bit
so
they
imported fine. It's actually unique that a server certificate is
created
and based on CAs using a smaller bit string. Not use why they went
with
4096. performance is not as good, it's not really more secure than
2048,
and it not strategic (4096 isn't really the next step as things are
changing to maintain performance).
I would alert the WENS team as to the situation. I realize your the
client
but I'd let them know that they changed to a bit size on their server
certificate that isn't supported on your system.
FYI. Since the industry is going a different direction in the future
support for 4096 hasn't added in V6R1 or V7R1 either, so I can't tell
you
this is support in a later release either.
(Embedded image moved to file: pic26747.gif)
Thanks!
Spectacular accomplishments require spectacular preparation.
T.J. Covalt, Software Engineer, IBM Rochester support Center
PMI Certified Project Manager
Phone: (507) 286-6488
Fax: (507) 253-5124
E-mail: [3]covalt@xxxxxxxxxx
Email 2
-----------------------------------
Hello John.
It sounds like The development team is working on an issue with the
SSL
handshake. Here are the PTFs being released for the supported
releases.
V5R4 - MF50358
V5R4M5 - MF50349
Install the appropriate PTF and let me know how it works for you.
Thanks!
Spectacular accomplishments require spectacular preparation.
T.J. Covalt, Software Engineer, IBM Rochester support Center
PMI Certified Project Manager
Phone: (507) 286-6488
Fax: (507) 253-5124
E-mail: covalt@xxxxxxxxxx
References
1. mailto:-----ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
2. http://www.scottklement.com/mailman/listinfo/ftpapi
3. mailto:covalt@xxxxxxxxxx
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------