[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate validation
Hi Carl,
If you want a quick fix to this problem, open up the COMMSSLR4 source
member of HTTPAPI, and search for GSK_SERVER_AUTH_PASSTHRU. Replace
GSK_SERVER_AUTH_PASSTHRU with GSK_SERVER_AUTH_FULL. Then recompile HTTPAPI.
The reason this is set to passthru (which allows "untrusted" and
"expired" certificates) is because i5/OS doesn't return any certificate
information to HTTPAPI if the SSL handshake fails, and that means I
can't provide debugging information. Since a majority of the users of
this software didn't care so much about certificate validation, they
only cared about "getting it to work", I used passthru authentication.
It provided a lot more debugging information, and it made things work.
Note that the ability to switch HTTPAPI to use FULL authentication is
one of the SSL security enhancements that I proposed in my e-mail to you
on Dec 18 -- and it should be in the next release of HTTPAPI.
Should have a beta version for you to test, soon.
Forshey, Carl wrote:
> Hi Scott,
>
> I'm having a problem with testing my application using SSL where I'm
> given a site to log on to with a known expired certificate (another
> vendor requirement). The CA normally being used is VeriSign, and
> they are in the DCM and trusted to the application. The problem is
> the certificate is being validated and I'm then connecting and
> receiving a response from the site. I was expecting to get a return
> code error on the certificate validation.
>
> After searching the archives, I came across a reference to a problem
> where the person wanted to accept an expired certificate (error "SSL
> Handshake: (GSKit) Validity time period of the certificate is
> expired") and you provided the code necessary to update the current
> HTTPAPI version of that time. I'm using the latest version (1.21)
> and I see the code in the GSKSSL_H source member and the COMMSSLR4
> source member. My question is there a way to control whether or not
> an expired certificate is accepted or not? After reading the archive
> and looking at the code, it seems as though it's set to accepting by
> default, where I need to have some indication of a validation error
> returned to my program, which seems that was what the original
> problem was on the archive posting. Could you shed some light on
> this for me, so I can determine if this is my problem or I need to
> look else where. Thanks!
>
> Carl Forshey Commsoft
>
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------