Re: HTTPS connections -- MIDRANGE-L

The issue is not that we don't trust them. I can connect from my PC, but
could not from the IBM i.

The sys admin had me send them our certificate which they imported into
their system and now we can connect. Their concern though is when our
certificate expires the connection will be broken again. So they would
like us to not present a certificate when making the web service call.
Which Scott seems to be saying is normal.

So the question is, how do we not use a cert when we make the web service
call? Or maybe the question is why are we presenting a cert when we are
the client if the default behavior is not to? Is it the way the sys
admin has something set up? If it is, I'm sure they will be reluctant to
change it in fear that it would affect something else. Is there a way we
can force it not to present a cert using HTTPAPI?

Based on the debug logs of other web service calls we do, it looks like we
are always presenting a cert. I'm guessing most servers are just ignoring
it. But for this connection, they have said if a cert is used, they will
validate it. I guess we have just gotten lucky all these years.

On Fri, Jun 25, 2021 at 3:36 PM Christopher Bipes <
chris.bipes@xxxxxxxxxxxxxxx> wrote:

Rick what Scott is saying is 99% the reason you cannot connect to someone
via HTTPS, you just don't trust their issuing (root) certificate chain.

When looking at certificates, you have the one used to identify the web
site, the one that generate that certificate and sometimes another one that
signed the signing certificate
Root => Intermediate=> identifying

Use your desktop browser to go to the web site and then click on the lock
(I am using chrome in this example) and select the certificate path tab.
You will need the top level certificate in your certificate store and all
the intermediate certificates. The bottom level certificate that
identifies the URL is not required. Again start importing from the top
level and work your way down. I have seen as many as 4 levels.

Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Scott Klement
Sent: Friday, June 25, 2021 12:54 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: HTTPS connections

Hi Rick,

What you are describing is actually the default behavior. HTTPAPI does not
send a certificate unless you set up an application identifier in the
digital certificate manager, and then configure that app id for a client
certificate.

The use of clients-side certificates is unusual.

Please be sure you are not confusing client-side certificates with CA
certificates. :-) If you are thinking that they are required, it is more
likely that you are thinking of CA certificates.

-SK

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com