• Subject: Re: HTTPS on an iSeries Server?
  • From: Sean Porterfield <sporter@xxxxxxxxxxxx>
  • Date: Tue, 23 Jan 2001 11:25:56 -0500
  • Organization: Best Distributing Co.

MEovino@ESTES-EXPRESS.COM wrote:
> 
> Sean (and anyone else who wants to answer),
> 
> Thanks for this wonderful reference.  I've been lurking on this thread and
> waiting for someone to come through with something like this.  Since I'm
> guessing you've done this before, I have a couple of questions.
> 
> In item 18 of the "Generate an Encryption Key and Customer Request Form"
> section
> (http://www.as400.ibm.com/tstudio/secure1/server/http/v4r4/chooseca.htm):
> Do they want you to use your machine name or what you have in your DNS so
> you can be found?

You want www.estes-express.com there.  The name on the certificate needs
to match the DNS name.

> And will authentication fail if someone tries to use just "estes-express.com"?

No, it will not fail.  The client will get a warning that the
certificate name does not match the server name.  They then get the
choice to continue or not.  I believe Verisign sells certificates that
work at the domain name level with any host.

> In item 8 of the "Enable SSL" section
> (http://www.as400.ibm.com/tstudio/secure1/server/http/v4r4/conform2.htm):
> Which option do I want to use if all I want is to make sure that data
> transmitted back and forth from the user's browser to my server is
> encrypted (for now this is all I need - may change in the future)?  Looks
> like it's "None" but I just want to make sure.

None would be correct.  This is asking for a client certificate which is
only necessary if you want to authenticate the user instead of just
encrypting the connection.

> Also, if in the future I
> want to require a successful handshake to get a certain URL, can I have an
> environment where for some URL's client authentication is "None" and some
> it's "Required"?  How would I do this?

I'm sure you can, but I haven't done it.

> If I have separate test and production servers on separate boxes, do I need
> to get two certificates, or can I use the same one on both boxes?

If the test box is for your use and not for the public, it's possible. I
think you need the server key as well as the certificate.  I haven't
tried it....

> Are any of you guys using encryption higher than 40 bit?  I keep a copy of
> 128 bit Netscape on my machine, but the only site I visit that uses it is
> my broker's.  I'm a little leery of using anything higher than 40 bit, as
> most PC's ship with 40 bit IE, and users are generally not very happy when
> you make them do things like upgrade their browsers.

I love 128 bit encryption.  The more the merrier!  In general, a client
will use a key as long as it supports.  128 bit just means the server
ALLOWS up to 128 bit.  It should still accept the first 40 from a client
that doesn't support more (although I think the new standard has changed
to 56 from 40.)  IMHO, no-one should do any e-commerce or banking (as a
customer) with less than 128 bit encryption.
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.