TLS Protocol

Discussions related to HTTPAPI (An HTTP Client Package for RPG programming.) http://www.scottklement.com/httpapi/
Post Reply
dstrawn
Posts: 3
Joined: Mon Dec 06, 2021 8:51 pm

TLS Protocol

Post by dstrawn »

How do you change the TLS version in the https_init procedure or does it just work with 1.0?
Scott Klement
Site Admin
Posts: 636
Joined: Sun Jul 04, 2021 5:12 am

Re: TLS Protocol

Post by Scott Klement »

Normally, it automatically negotiates the best TLS version and ciphers to use -- you don't have to set anything. Instead, configure the versions you would like to support in the IBM i system values.

On the other hand, if you don't want to force a specific connection to only use particular versions, you can do that with https_init. I would recommend this, because it will require changes to your programs periodically (the old versions get phased out, and new versions get phased in... better to set this in system values where it can be configured for everything in one place.)

But, if you must... there's an indicator for each version, you can turn them on/off:

Code: Select all

      https_init( *blanks      // App ID
                : *off         // SSLv2 -- not considered secure, anymore.
                : *off         // SSLv3 -- not considered secure, anymore.
                : *off         // TLSv1 -- weak security, but better than nothing
                : *on          // TLSv1.1 -- okay... for old sites
                : *on:         // TLSv1.2 -- pretty good
                : *on);        // TLSv1.3 -- best
Make sure your HTTPAPI is up to date, and see the comments about https_init() in HTTPAPI_H for details.
dstrawn
Posts: 3
Joined: Mon Dec 06, 2021 8:51 pm

Re: TLS Protocol

Post by dstrawn »

Scott,
the https_init prototype in HTTPAPI_H only has 3 parms in the version we have...
D https_init PR 10I 0
D peAppID 100A const
D peSSLv2 1N const options(*nopass)
D peSSLv3 1N const options(*nopass)
D peTLSv1 1N const options(*nopass)
Do we have a really old version?

When calling it we have the parms set as follows:
c eval rc = https_init(APP_ID : *Off : *On :
c *Off)
will the *Off setting for TLS effectively default to whatever we have configured in the IBM i system?
Scott Klement
Site Admin
Posts: 636
Joined: Sun Jul 04, 2021 5:12 am

Re: TLS Protocol

Post by Scott Klement »

Yes, you have an old version...

No, setting it to *OFF won't tell it to use the system value. Setting it *OFF disables that protocol.
dstrawn
Posts: 3
Joined: Mon Dec 06, 2021 8:51 pm

Re: TLS Protocol

Post by dstrawn »

Got it! thanks!
Post Reply