× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2016

RE: Anyone Familiar with How Server Farms and SSL Certificates Work?

Gotcha. That's the ticket right there. Perhaps we could ask IBM to start including those in PTF updates like Microsoft does?

-----Original Message-----
From: Kevin Bucknum [mailto:Kevin@xxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 14, 2016 2:19 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: RE: Anyone Familiar with How Server Farms and SSL Certificates Work?

I think Bradley is talking IBM and you are talking Windows. Windows updates root certs as part of their monthly updates. IBM doesn't. Here is the list of trusted certs in Microsoft as of last month.
https://gallery.technet.microsoft.com/Trusted-Root-Certificate-123665ca.
I have most of the Symantec/Verisign and GoDaddy chains loaded in my DCM. That covers most of the certs I see and I don't have to add certs very often.




Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Matt Olson
Sent: Wednesday, December 14, 2016 2:09 PM
To: Midrange Systems Technical Discussion
Subject: RE: Anyone Familiar with How Server Farms and SSL Certificates Work?

Interesting, we use a lot of office 365 services and have not had to import any SSL certificates to get anything to work.

-----Original Message-----
From: Bradley Stone [mailto:bvstone@xxxxxxxxx]
Sent: Wednesday, December 14, 2016 2:07 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: Anyone Familiar with How Server Farms and SSL Certificates Work?

On the contrary, Matt.

Most SSL certs need their CAs imported. This specific example was from Microsoft. I'm sure they have the cash. :)

It's rare that when I import CAs it tells me it's already there.

Brad
www.bvstools.com

On Wed, Dec 14, 2016 at 2:02 PM, Matt Olson <Matt.Olson@xxxxxxxx> wrote:

I guess we always use certificates from verisign / godaddy / rapidssl
and such.

This should only be needed for roll your own ssl certs.

I guess people don't want to shell out the cash for ssl certs.


-----Original Message-----
From: Rob Berendt [mailto:rob@xxxxxxxxx]
Sent: Wednesday, December 14, 2016 1:52 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: RE: Anyone Familiar with How Server Farms and SSL
Certificates Work?

Matt,

Have you ever really run a Windows application? I don't know how many

times I've been prompted to approve someone's certificate. Then
there's the way too easy, ignore and don't prompt me again kind of
stuff.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Matt Olson <Matt.Olson@xxxxxxxx>
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
Date: 12/14/2016 02:49 PM
Subject: RE: Anyone Familiar with How Server Farms and SSL
Certificates Work?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Interesting. I've guess I've never had to import certificate
authorities in windows. Why is it needed on IBM I to communicate with
SSL services?


-----Original Message-----
From: Bradley Stone [mailto:bvstone@xxxxxxxxx]
Sent: Wednesday, December 14, 2016 9:17 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: Anyone Familiar with How Server Farms and SSL
Certificates Work?

Matt,

I am not importing certificates. I'm importing the Certificate
Authorities from the SSL certificate presented by the server my client

software (which runs on the IBM i) is connecting to.

This is needed for "trust" of the CA. Otherwise, no connection.

In this case, there were two certificates being presented randomly to
clients causing problems.

Brad
www.bvstools.com

On Wed, Dec 14, 2016 at 9:08 AM, Matt Olson <Matt.Olson@xxxxxxxx>
wrote:

Why do you need to import the SSL certificate at all?

When I program against SSL services on the internet I've never had
the need to import anything.

-----Original Message-----
From: Bradley Stone [mailto:bvstone@xxxxxxxxx]
Sent: Wednesday, December 14, 2016 8:56 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: Anyone Familiar with How Server Farms and SSL
Certificates Work?

I noticed that the ones I couldn't get ended up being for 1 year
(2016-2017). Maybe with all the SSL changes going on for
compliance, they didn't want to use too long of a period.

Anyhow, here's the article. If you don't hear from me, please
contact Bill Gates. I think he's hobknobbing at Trump Towers. lol

https://goo.gl/3ZUeNz

Brad
www.bvstools.com

On Wed, Dec 14, 2016 at 7:36 AM, Kevin Bucknum
<Kevin@xxxxxxxxxxxxxxxxxxx>
wrote:

The odd thing to me is that they seem to be using relatively short

term root and intermediate certificates. I can understand having
individual certs at 3 years or less, but they seem to be doing 2
years on their root and intermediate. They are the issuing
organization, and by only issuing certs to themselves from those
root chains, they can control who has them and when they have to
be updated, but it still seems like they are making more work for
themselves than they have to.




Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On
Behalf Of Bradley Stone
Sent: Tuesday, December 13, 2016 7:07 PM
To: Midrange Systems Technical Discussion
Subject: Re: Anyone Familiar with How Server Farms and SSL
Certificates Work?

No answer from MS or any other support forums on how or why this
is happening, but I was able to put together a pretty neat little
system using DOS batch files, openssl and the IBM i to constantly
log into their servers with openSSL, saving the Cert retrieved
over and over every 5 seconds. I then compared the certs with one

I already had until I found one that was different and was able to

extract the other set of CAs. It took over 2000 hits for it to
finally find the
differnent cert.
But I got a few in a row after that.

I'm going to put an article together for it soon just because it
was such a headache. MS... I was always indifferent about them,
never having all these "problems" with Windows like its hip to
talk about...
but this was their cloud services... if they can't help paying
customers, I will seriously never recommend their cloud services
over Google's.

Insert in pipe, and smoke. :) Time for a scotch.

Brad
www.bvstools.com

On Tue, Dec 13, 2016 at 8:55 AM, Bradley Stone <bvstone@xxxxxxxxx>
wrote:

I am posting this hear so hopefully someone with some experience

can help me possibly understand what Microsoft's servers are
doing.

So, randomly their email servers are presenting different SSL
certificates to clients when they connect. If the certificate
used is

one that we haven't imported the Certificate Authorities (CAs)
for, we

get an not trusted error on the IBM i.

Normally for this type of thing we simply use openSSL to grab
the CAs and import them using DCM. But because it's random, and

the
server(s)

that are presenting this odd SSL cert we can't purposely connect

to, it's been a whole day of trying to get this rogue SSL
certificate (hopefully it is only one more!)

The same thing is happening with the RESTful API servers. I got

lucky

with openSSL on these and was able to get both certificates so
that at

least for those using the API are ok for now.

But the smtp server is another story. I haven't been lucky
enough to get the other certificate.

How and why would this be happening? When they install a new
SSL cert

does it get replicated to all the servers in the farm? Or is
that don't manually and it's possible a couple didn't get
updated (at
all... or "yet")?

I've tried contacting MS but so far nothing from them. I just
want to

know if what I think is happening is in fact happening.

BTW, if you're on the fence between using Google or Outlook 365
for your corporate email in the future, after dealing with both
for a few years I would pick Google over MS every time. It's
faster and much
more stable.
(just a vent there... haha!)

Brad
www.bvstools.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/
midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.