bvstone

IBM i (AS/400) and the Wonderful World that is Secure Sockets Layer (SSL) - A Rant

Posted:

IBM i (AS/400) and the Wonderful World that is Secure Sockets Layer (SSL) - A Rant

Having created many applications that use TCPIP communications (mainly client side) that means implementing SSL or TLS is inevitable.  

Our GETURI and MAILTOOL products use sockets and SSL/TLS very heavily, and in the future I can see them being becoming even more popular than they are now simply because the email APIs provided by IBM for the IBM i simply don't work with SSL and/or TLS.  They may in the future, but most likely at a global level (and be a bear to set up), not a global, user, or command level like our software provides.

The Big Problem
But, there is a big problem that for some reason still exists even at V7R2.  And that's how Certificates and Certificate Authorities (CAs) that are expired and used in NO WAY by any client application that requires SSL or TLS can cause an application to throw an error.  RC(-24) SSL_ERROR_CERT_EXPIRED.

I posted this question on the MIdrange-L mailing list but got no replies or suggestions.

This makes absolutely ZERO sense.

If the client application was using a client side SSL certificate and that certificate was expired then yes, I could see this error occurring.  

If the client application was communicating with a server in which the CA(s) installed on the system (allowing us to "trust" the server's SSL Certificate) was expired then yes, I could see this happening.  But only if the CA was associated with the server's SSL Certificate in some way.

Because this issue normally shuts down production, it's one of those "Get it fixed fast, now, and I don't care how!" moments.  Which means, once it's fixed, we wash our hands of the problem and don't report it to IBM.

The "Fix"
I probably assist at least one customer a week with this issue.  

First I have to explain to them the problem, and that it's not related to our software.  It's an IBM issue.  Then you must explain that somewhere on their system is an SSL Certificate or CA that is expired and they need to delete it from their system.  Not "turn it off" (which you can't do anyhow)... but delete it.  And only because of most likely one small error in an "if" statement in some code buried deep in the IBM SSL application code.

Watching them (via desktop sharing) as they second and third guess themselves as they go to delete Certificates or CAs that are expired shows me that SSL and TLS are still very misunderstood...  even by the Digital Certificate Manager (DCM) and the IBM SSL APIs.

 


Last edited 07/27/2015 at 12:50:30



Latest Posts:

GreenTools For G Suite (G4G) v12.00 Released With Base OAuth 2.0 Functionality GreenTools For G Suite (G4G) v12.00 Released With Base OAuth 2.0 Functionality
Posted by July 28, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
BVSTools Small Price Increase in 2020 BVSTools Small Price Increase in 2020
Posted by July 26, 2019
BVSTools >> BVSTools Announcements
GreenTools for Vertex Cloud (VTXCLOUD) Now Available GreenTools for Vertex Cloud (VTXCLOUD) Now Available
Posted by July 22, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Vertex Cloud (VTXCLOUD) Specific Announcements
GreenTools for Google Apps (G4G) - Drive Addon Successfully Verified by Google GreenTools for Google Apps (G4G) - Drive Addon Successfully Verified by Google
Posted by July 22, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Why I Cancelled my DynDNS Service and How I Replaced It with an IBM i Application Why I Cancelled my DynDNS Service and How I Replaced It with an IBM i Application
Posted by July 17, 2019
IBM Power Systems >> (QGPL) IBM i
Green Tools for G Suite (G4G) Product Updates (Licensing, Functionality, Base Product) Green Tools for G Suite (G4G) Product Updates (Licensing, Functionality, Base Product)
Posted by July 13, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Reading JSON Data from Standard Input With YAJL and RPG Reading JSON Data from Standard Input With YAJL and RPG
Posted by July 12, 2019
Programming >> Proof of Concept (POC)
MAILTOOL Updated to Allow Use of IBM Global Security Kit (GSKIT) for SSL/TLS Communications MAILTOOL Updated to Allow Use of IBM Global Security Kit (GSKIT) for SSL/TLS Communications
Posted by June 19, 2019
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
GETURI v10.00 Released Supporting IBM Global Security Kit (GSKIT) and Server Name Indication (SNI) GETURI v10.00 Released Supporting IBM Global Security Kit (GSKIT) and Server Name Indication (SNI)
Posted by June 11, 2019
BVSTools >> BVSTools Announcements >> Get URI (GETURI) Specific Announcements
BVSTools Now Offers Vertex Cloud Interface BVSTools Now Offers Vertex Cloud Interface
Posted by April 15, 2019
BVSTools >> BVSTools Announcements
Token Has an Invalid Signature Error for Office 365 Email Token Has an Invalid Signature Error for Office 365 Email
Posted by March 22, 2019
BVSTools >> BVSTools Software Discussion >> GreenTools for Microsoft Apps (G4MS) Specific Discussion
Resending Emails that have Errored Out with Updated Router or Authentication Information Resending Emails that have Errored Out with Updated Router or Authentication Information
Posted by March 1, 2019
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
BVSTools Offers Toolset to Work With HubSpot OAuth 2.0 APIs On Your IBM i BVSTools Offers Toolset to Work With HubSpot OAuth 2.0 APIs On Your IBM i
Posted by January 27, 2019
BVSTools >> BVSTools Announcements
G4MSDRV Currently Not Supported G4MSDRV Currently Not Supported
Posted by January 17, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
Removing Trailing Carriage Returns and/or Line Feeds from a String with RPG Removing Trailing Carriage Returns and/or Line Feeds from a String with RPG
Posted by December 26, 2018
Programming >> RPG Programming

Reply




Copyright 1983-2019 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).