It really depends on the application and if the programmer chooses to validate the certificates or not.
I have one application that does not validate the certificate chain at all as the trading partner is on MPLS and using a self-signed certificate. (No CA.)
I have another application that requires us to validate the entire chain. (Trading partner's requirement.)
So I have coded my programs accordingly. For instance if you are using the HTTP API from Scott Klement you can use the HTTPS_STRICT API.
From the example on how to use the https_strict API.
callp https_strict(*ON);
(By default, HTTPAPI instructs i5/OS to ignore any SSL errors related to untrusted root certs, or expired certificates, as long as they contain enough information to enable encryption.
The https_strict() API can turn "strict checking" on or off.
When on, i5/OS will only allow root certificates that are registered as "trusted" in the DCM. It will also only allow certificates that are not expired.)
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Wednesday, December 14, 2016 9:06 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: Anyone Familiar with How Server Farms and SSL Certificates Work?
No to mention how SSL works on the i is anything but consistent (at least
from the client perspective).
Older OS versions used to require every CA in the chain to be loaded. But
I've run into cases on V7R3 where only the top most CA needs to be loaded,
and not any others in the chain. I still load them all either way in case
that's a "bug" and suddenly does start requiring them all.
Also, when a certificate or CA expires, it sometimes causes all SSL
processing to error out, even if the cert or CA has nothing to do with the
application you're using.
midrange.com
