bvstone

IBM i (AS/400) and the Wonderful World that is Secure Sockets Layer (SSL) - A Rant

Posted:

IBM i (AS/400) and the Wonderful World that is Secure Sockets Layer (SSL) - A Rant

Having created many applications that use TCPIP communications (mainly client side) that means implementing SSL or TLS is inevitable.  

Our GETURI and MAILTOOL products use sockets and SSL/TLS very heavily, and in the future I can see them being becoming even more popular than they are now simply because the email APIs provided by IBM for the IBM i simply don't work with SSL and/or TLS.  They may in the future, but most likely at a global level (and be a bear to set up), not a global, user, or command level like our software provides.

The Big Problem
But, there is a big problem that for some reason still exists even at V7R2.  And that's how Certificates and Certificate Authorities (CAs) that are expired and used in NO WAY by any client application that requires SSL or TLS can cause an application to throw an error.  RC(-24) SSL_ERROR_CERT_EXPIRED.

I posted this question on the MIdrange-L mailing list but got no replies or suggestions.

This makes absolutely ZERO sense.

If the client application was using a client side SSL certificate and that certificate was expired then yes, I could see this error occurring.  

If the client application was communicating with a server in which the CA(s) installed on the system (allowing us to "trust" the server's SSL Certificate) was expired then yes, I could see this happening.  But only if the CA was associated with the server's SSL Certificate in some way.

Because this issue normally shuts down production, it's one of those "Get it fixed fast, now, and I don't care how!" moments.  Which means, once it's fixed, we wash our hands of the problem and don't report it to IBM.

The "Fix"
I probably assist at least one customer a week with this issue.  

First I have to explain to them the problem, and that it's not related to our software.  It's an IBM issue.  Then you must explain that somewhere on their system is an SSL Certificate or CA that is expired and they need to delete it from their system.  Not "turn it off" (which you can't do anyhow)... but delete it.  And only because of most likely one small error in an "if" statement in some code buried deep in the IBM SSL application code.

Watching them (via desktop sharing) as they second and third guess themselves as they go to delete Certificates or CAs that are expired shows me that SSL and TLS are still very misunderstood...  even by the Digital Certificate Manager (DCM) and the IBM SSL APIs.

 


Last edited 07/27/2015 at 12:50:30



Latest Posts:

Create QRCODE in DDS Create QRCODE in DDS
Posted by September 21, 2018
Programming >> RPG Programming
Base64 Encoding a File with RPG Base64 Encoding a File with RPG
Posted by September 6, 2018
Programming >> RPG Programming
Building JSON with RPG and YAJL and Writing to Standard Output Building JSON with RPG and YAJL and Writing to Standard Output
Posted by August 31, 2018
Programming >> Proof of Concept (POC)
How to Delete Files or Empty Trash From Your Google Drive with your IBM i and RPG/ILE How to Delete Files or Empty Trash From Your Google Drive with your IBM i and RPG/ILE
Posted by July 24, 2018
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion
GreenTools for G Suite (G4G) Updated to Include Delete and Empty Trash Function GreenTools for G Suite (G4G) Updated to Include Delete and Empty Trash Function
Posted by July 24, 2018
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
What to Do If Your License Keys Don't Work What to Do If Your License Keys Don't Work
Posted by July 18, 2018
BVSTools >> BVSTools Software Discussion
MAILTOOL Updated to Allow Failed Message on Invalid Recipient MAILTOOL Updated to Allow Failed Message on Invalid Recipient
Posted by May 20, 2018
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
Non HTTPS Callbacks Removed from GreenTools for G Suite (G4G) Non HTTPS Callbacks Removed from GreenTools for G Suite (G4G)
Posted by April 15, 2018
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
IBM i Related Survey Available IBM i Related Survey Available
Posted by April 7, 2018
IBM Power Systems >> (QGPL) IBM i
BVSTools Releases Braintree Webhook Open Source Application - Node.js BVSTools Releases Braintree Webhook Open Source Application - Node.js
Posted by April 5, 2018
Programming >> Open Source
BVSTools Now Offering Web Services (BETA) BVSTools Now Offering Web Services (BETA)
Posted by April 3, 2018
BVSTools >> BVSTools Announcements
Creating a Reverse SSL Proxy Using RPG on the IBM i - Part 2 Creating a Reverse SSL Proxy Using RPG on the IBM i - Part 2
Posted by March 29, 2018
Programming >> Web Programming
Still on V7R1 or Earlier?  Here's Why You Should Upgrade NOW! Still on V7R1 or Earlier? Here's Why You Should Upgrade NOW!
Posted by February 21, 2018
IBM Power Systems >> (QGPL) IBM i
Converting a MMDDYY date format to YYMMDD for Sorting Using SQL Converting a MMDDYY date format to YYMMDD for Sorting Using SQL
Posted by February 16, 2018
Programming >> RPG Programming
Moving All Files from a Google Drive Folder to the Trash Using GreenTools for Google Apps (G4G) Moving All Files from a Google Drive Folder to the Trash Using GreenTools for Google Apps (G4G)
Posted by February 3, 2018
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion

Reply




Copyright 1983-2018 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).