× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Excellent - problem 1 solved

Problem 2 (another client) -
Entered openssl s_client -showcerts -connect nnn.nnn.nnn.nnn:21
and received:
"Loading 'screen' into random state - done
CONNECTED(0000078C)
2260:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:.\ssl\s23_clnt.c:567:"

Unknown protocol appears to indicate that this site is not using SSL but
they insist that they are. The connection port is 21 - could they be doing
something behind their firewall that would cause this result? (NAT, maybe?)

Thanks,

Steve


"Scott Klement" <midrange-l@xxxxxxxxxxxxxxxx> wrote in message
news:mailman.3488.1176915651.2544.midrange-l@xxxxxxxxxxxxxxx
Hi Steve,

I'm sorry, I missed the beginning of this thread. It sounds like you're
having a problem that the i5/OS SSL engine is not trusting someone's
certificate? I.e. you're getting an error like "certificate not trusted"
or "the issuer is not in the certificate store" or something like that?

I like the use the OpenSSL tools to troubleshoot problems like this. I
don't know if you have OpenSSL installed somewhere, but if not, I've stuck
a Windows version of the program you need on my web server:

http://www.scottklement.com/tools/openssl.exe

Download that exe to a folder on your PC, then open up a command prompt
(MS-DOS Window) and run the program like this:

openssl s_client -showcerts -connect ftp.example.com:990

(the 990 in the preceding example is the port number. If you're using a
different port number, supply that instead.)

The openssl tool will attempt to connect and establish an SSL connection.
It will print various diagnostics, including the server's certificate and
the issuer's certificate. (server certificate first, then issuer). When
you're done, press Ctrl-C to exit the tool.

The issuer's certificate can be copy/pasted into a file in the IFS, and
then installed into the digital certificate manager. This is an easy way
to find out who the issuer is, and make you sure you have the correct
issuer certificate.

Make sure you install it as a CA (Certificate Authority) certificate.
After you've installed it, use the Verify option in the i5/OS digitcal
certificate manager to make sure it's valid, and then go to the "manage
applications" section and make sure that the FTP client trusts the
certificate.

You do not need (or want) to install the actual server certificate --
just the issuer (i.e., certificate authority). The server's certificate
is automatically sent to you when you connect. It's the issuer that's
important, since the SSL engine needs to verify that the server
certificate is valid, and it does that by verifying that it matches the
issuer.

Hope that helps.


Steve McKay wrote:
How can I determine 'who' is the signer of the certificate?

BTW - The certificate that I was sent (from WS-FTP Server) is
identical to the certificate that I exported from my copy of WS-FTP
Pro





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.