ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

GSK API's

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • GSK API's

    Trying to develop a sample for retrieving Web Pages using https. I have http working just fine but https with gsk API's is not playing nicely. Anyone have any experience with using gsk API's? I have set up DCM with the CA's certificates etc but even www.ibm.com fails to pass gsk_secure_soc_init() with a rc of 6000. ( certificate not valid). Happy to share code if anyone has the experience to help me, will be posted as open source once I get it working.

    Chris...

  • #2
    Hi Chris,

    If you look in QSYSINC/H, GSKSSL you'll see this:
    Code:
    #define GSK_IBMI_ERROR_NOT_TRUSTED_ROOT            6000
    So the error means that it doesn't trust SSL certificate. To rectify that, you would need to either (1) find out which certificate authority www.ibm.com uses and install it into the DCM, or (2) tell it not to validate the certificate authority. Technically, #1 is the "correct" solution, since #2 basically trusts everyone and everything, including rogue sites. On the other hand, it may be impractical to set up all the needed CA certificates (depending on what you're doing?)

    I don't need you to share your code... The open source HTTPAPI (which I wrote, originally) has been doing this stuff since 2001, so I already have code that does this. I wonder why you're reinventing the wheel?

    Comment


    • #3
      Hi Scott, Not re-inventing the wheel just providing sample code in C which talks to a web server. I have all of the Certs installed, I even ran did a comms trace to find out what the server was sending and it shows the correct certificate. I checked into the cert store (*SYSTEM) and the certs match. I tried on a number of websites all of them were rejected so I am now assuming there is a problem with my DCM set up? Problem is the gsk_ API's have no debug capability to see exactly what stage the cert was rejected, you just call the API and hopefully get the secure connection at the end of it?

      I will take a look at the code although to be honest I think the code I wrote is OK, just need to figure out the DCM side of things?

      Thanks for the input..

      Chris..

      Comment


      • #4
        Scott, OK looked at your code and I am doing the same process more or less, BUT I did notice a comment which may be part of the probelm, You said you have to set all of the flags for the approved protocols (SSL/TLS) and I am simply stating that TLS1.2 is on, nothing else? I will update and try with those changes.

        Chris...

        Comment


        • #5
          Given that the issue is "not trusted root", I would expect that you'd either need to install the SSL CA root/intermediate/etc certificates into the DCM, or else you'd need to set the GSK_SERVER_AUTH_PASSTHRU autnentication type.

          With regards to setting the explicit versions... it was necessary to do so for compatability with V7R1. Newer OS versions can automatically use the newer TLS versions if you let the OS decide... Though, if you're explicitly setting 1.2 and nothing else, you should be aware that it'll only work with TLS 1.2, since you're not allowing other protocols.

          Comment


          • #6
            Scott,

            Sorry had a hell of a week, migrating to Exchange with Office 365 and had terrible problems, spent 3 days with support just trying to link outlook desktop with O365 Exchange!!! In the end it was a recent update MS sent out that screwed everything up! Anyhow back to the problem..

            I will try some of your suggestions, DCM is set up with all of the root certificates, I can see the certificate coming in and it should match, so something else is wrong probably with how I set things up? I will get back to this next week but in the meantime thanks for your input.

            Chris...

            Comment


            • #7
              Definitely a strange problem. Our GoDaddy hosted site shows it has cert issued by it, but the comms trace shows a cert from Starfield! (I just installed it and it worked OK) I think DNS cache is part of the problem as the source was an old hosted site we used that we recently moved from? We have a temp site there now with no content so that explains some of the issues... Anyhow at least I can show the program works.

              Thanks for the input Scott..

              Chris...

              Comment


              • #8
                Scott,

                OK Found the problem, The multi tenanted host at GoDaddy was returning a certificate which was not the one assigned to my website! It would return a certificate which was issued by Starfield Tech which is somehow stored in the system configuration somewhere, probably as the main system root? I originally worked around it by installing the root cert for Starfield tech, but I was not happy with that solution as IBM does not ship that certificate when you set the default root CA's in DCM. So I looked a bit closer, by tracing both the IBM i connection and the PC (browser) connection I noticed that the PC request set the server name, I was not!!! So I now set via the gsk_attribute_set_buffer(my_env_handle,GSK_SSL_EXT N_SERVERNAME_CRITICAL_REQUEST,host,strlen(.host)) and I get the correct Cert back. I noticed you do that in your libhttp code already.. So now it all works as it should.

                Learnt a lot about Secure sockets and thanks for your LIBHTTP code, it helped me confirm my understanding.

                Chris..


                Comment

                Working...
                X