bvstone

IBM i (AS/400) and the Wonderful World that is Secure Sockets Layer (SSL) - A Rant

Posted:

IBM i (AS/400) and the Wonderful World that is Secure Sockets Layer (SSL) - A Rant

Having created many applications that use TCPIP communications (mainly client side) that means implementing SSL or TLS is inevitable.  

Our GETURI and MAILTOOL products use sockets and SSL/TLS very heavily, and in the future I can see them being becoming even more popular than they are now simply because the email APIs provided by IBM for the IBM i simply don't work with SSL and/or TLS.  They may in the future, but most likely at a global level (and be a bear to set up), not a global, user, or command level like our software provides.

The Big Problem
But, there is a big problem that for some reason still exists even at V7R2.  And that's how Certificates and Certificate Authorities (CAs) that are expired and used in NO WAY by any client application that requires SSL or TLS can cause an application to throw an error.  RC(-24) SSL_ERROR_CERT_EXPIRED.

I posted this question on the MIdrange-L mailing list but got no replies or suggestions.

This makes absolutely ZERO sense.

If the client application was using a client side SSL certificate and that certificate was expired then yes, I could see this error occurring.  

If the client application was communicating with a server in which the CA(s) installed on the system (allowing us to "trust" the server's SSL Certificate) was expired then yes, I could see this happening.  But only if the CA was associated with the server's SSL Certificate in some way.

Because this issue normally shuts down production, it's one of those "Get it fixed fast, now, and I don't care how!" moments.  Which means, once it's fixed, we wash our hands of the problem and don't report it to IBM.

The "Fix"
I probably assist at least one customer a week with this issue.  

First I have to explain to them the problem, and that it's not related to our software.  It's an IBM issue.  Then you must explain that somewhere on their system is an SSL Certificate or CA that is expired and they need to delete it from their system.  Not "turn it off" (which you can't do anyhow)... but delete it.  And only because of most likely one small error in an "if" statement in some code buried deep in the IBM SSL application code.

Watching them (via desktop sharing) as they second and third guess themselves as they go to delete Certificates or CAs that are expired shows me that SSL and TLS are still very misunderstood...  even by the Digital Certificate Manager (DCM) and the IBM SSL APIs.

 


Last edited 07/27/2015 at 12:50:30



Latest Posts:

MAILTOOL Updated to Allow G4GSMAIL as Option in Routers File MAILTOOL Updated to Allow G4GSMAIL as Option in Routers File
Posted by June 28, 2020
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
BVSTools Now Offers Interface with Infor's ION APIs BVSTools Now Offers Interface with Infor's ION APIs
Posted by May 15, 2020
BVSTools >> BVSTools Announcements
More V7R4 IFS File CCSID Issues and The Fix More V7R4 IFS File CCSID Issues and The Fix
Posted by March 4, 2020
IBM Power Systems >> (QGPL) IBM i
Error Retrieving IP Address by Name Error Retrieving IP Address by Name
Posted by February 25, 2020
BVSTools >> BVSTools Software Discussion
Logging jobs that hit an outq Logging jobs that hit an outq
Posted by February 13, 2020
Programming >> CL Programming
GreenTools for Google Apps (G4G) v12.60 Released with Shared Drive Features and More... GreenTools for Google Apps (G4G) v12.60 Released with Shared Drive Features and More...
Posted by February 4, 2020
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Allowing Requests over Port 80 For SSL Validation (ie, Namecheap, etc) Allowing Requests over Port 80 For SSL Validation (ie, Namecheap, etc)
Posted by January 31, 2020
Programming >> Web Programming
GreenTools for Slack (G4SLK) v3.00 Released GreenTools for Slack (G4SLK) v3.00 Released
Posted by January 17, 2020
BVSTools >> BVSTools Announcements >> GreenTools for Slack (G4SLK) Specific Announcements
Calling a QSH Command from RPG Calling a QSH Command from RPG
Posted by December 26, 2019
Programming >> RPG Programming
SPLTOOL Print Range (PRTRNG) Function Updated to Handle Spooled Files up to 999,999,999 Pages SPLTOOL Print Range (PRTRNG) Function Updated to Handle Spooled Files up to 999,999,999 Pages
Posted by December 14, 2019
BVSTools >> BVSTools Announcements >> Spooled File Tools (SPLTOOL) Specific Announcements
GreenTools for Microsoft Apps (G4MS) Updated to v6.00 - Now Uses Microsoft Graph APIs GreenTools for Microsoft Apps (G4MS) Updated to v6.00 - Now Uses Microsoft Graph APIs
Posted by November 24, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
V7R4 Changes CCSID of Compressed File Using PASE JAR Command - Here's The Fix V7R4 Changes CCSID of Compressed File Using PASE JAR Command - Here's The Fix
Posted by November 21, 2019
IBM Power Systems >> (QGPL) IBM i
Using GETURI to Make OAuth 2.0 Requests - Custom Headers for Access Tokens Using GETURI to Make OAuth 2.0 Requests - Custom Headers for Access Tokens
Posted by November 11, 2019
BVSTools >> BVSTools Software Discussion >> Get URI (GETURI) Specific Discussion
GreenTools for Microsoft Apps (G4MS) v5.00 Released with Updated OneDrive Support and 3rd Party Functionality GreenTools for Microsoft Apps (G4MS) v5.00 Released with Updated OneDrive Support and 3rd Party Functionality
Posted by October 20, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
BVSTools is Now Running V7R4M0 BVSTools is Now Running V7R4M0
Posted by September 28, 2019
BVSTools >> BVSTools Announcements

Reply




Copyright 1983-2020 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).