Re: Using TLS1.2 with IBMi custom agent software

Hmmm...

A quick glance at the source for HTTPAPI and I don't see that it requires a
non-blank METHOD (in http_req()).

Not sure it'd work, but maybe...

Charles



On Wed, Nov 26, 2025 at 2:44 PM Brad Stone <bvstone@xxxxxxxxx> wrote:

GETURI isn't HTTP only. It's mainly used for that, yes, but it can be used
for other TCPIP communications. I think one time I even set it up to do
FTP.

It asks whether you want to close the connection... So, technically, you
could perform a sequence of operations over the same connection... I
haven't fully tested it lately, but in the past it was used for that type
of thing.

And you can build headers totally custom, or use no headers at all and just
send a payload.



On Wed, Nov 26, 2025 at 3:23 PM Charles Wilt <charles.wilt@xxxxxxxxx>
wrote:

I would assume that since your client is using sockets directly...it's
using some custom protocol..

If that's the case, then HTTPAPI or GETURI aren't really an option unless
the server is re-writen to use standard HTTP as a protocol.

On the other hand, it's possible that the client/server is actually using
HTTP, if that case you could simply re-write the client to use HTTPAPI or
GETURL.
Would be a bit strange for this to be the case, as HTTPAPI or GETURI

would

have made this much easier from the get go.
Unless the client/server app pre-dates those two tool sets.

HTH,
Charles




On Wed, Nov 26, 2025 at 2:07 PM <smith5646midrange@xxxxxxxxx> wrote:

By rewriting the server, I meant if they wanted to change the IBMi

client

to do HTTPAPI or GETURI. I assumed that I couldn't use HTTPAPI or

GETURI

on the IBMi client while the server is still trying to communicate the
current way...or was that a bad assumption?

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Brad Stone
Sent: Wednesday, November 26, 2025 2:35 PM
To: Midrange Systems Technical Discussion <

midrange-l@xxxxxxxxxxxxxxxxxx

Subject: Re: Using TLS1.2 with IBMi custom agent software

No, the server has nothing to do with the client on your IBM i. You

said

the server runs on a Windows system. They would have their own changes

to

make if they don't already allow SSL/TLS.

Yes, those are the basic socket APIs in your client application.

There's

a whole other set and some other functions to use GSKit for TLS.

https://www.ibm.com/docs/en/i/7.4.0?topic=sockets-global-security-kit-gskit-apis

You can also go deeper with the GSKit APIs and catch and ignore errors

if

the CA that signs the server's certificate if it's not in the *SYSTEM

store

on the IBM i (which is built into GETURI and I think HTTPAPI as well).

On Wed, Nov 26, 2025 at 1:13 PM <smith5646midrange@xxxxxxxxx> wrote:

To rewrite the client to use HTTPAPI or GETURI, I'm assuming they
would need to rewrite the server (is that a valid assumption?) which
I'm sure they will not do because it communicates with other clients
that would also have to be rewritten.

The current logic is using procedures like

opnskt pr 10i 0 extproc('socket')
bind pr 10i 0 extproc('bind')
connect pr 10i 0 extproc('connect')
listen pr 10i 0 extproc('listen')
accept pr 10i 0 extproc('accept')
send pr 10i 0 extproc('send')

Since it is currently using the above procedures, is changing it to
use
TLS1.2 via the IBMi APIs going to be really painful and time

consuming

(and thus expensive) and I should try to talk them out of it?

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf

Of

Brad Stone
Sent: Wednesday, November 26, 2025 1:28 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

Yes. Your client application needs to use socket APIs for any
communication. It does already, correct? If not, how is it
communicating? HTTPAPI? GETURI? SQL? Something else?

If SSL is required, then you need to use the SSL versions of those
socket APIs instead of the basic ones... and yes, the GSKit APIs..
IBM has basically said they aren't updating the older SSL APIs any

more.

It would probably be easier to rewrite the client app to use HTTPAPI
or GETURI as it's a little complicated.

On Wed, Nov 26, 2025 at 12:20 PM <smith5646midrange@xxxxxxxxx>

wrote:

They are currently not using any encryption at all. It is clear
text only. They want to add TLS1.2 encryption.

You said "The SSL APIs used in the agent should handle all that".
Since there are currently no SSL APIs in the program, it sounds

like

the piece that I have been missing in my search is that I need to
add some SSL API logic to the program. Is that a correct

deduction?

I never thought about the TLS logic being API stuff (duh).
Searching for "IBMi TLS API", I see stuff about GSKit. Is that the
direction that I need to go for TLS1.2?


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf
Of Brad Stone
Sent: Wednesday, November 26, 2025 12:59 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

So you're not using TLS if there's no encryption. If you're saying
they are wanting to use TLS, my answer still stands.

On Wed, Nov 26, 2025 at 11:17 AM <smith5646midrange@xxxxxxxxx>

wrote:

Wow, I missed a key piece of info in that. Currently there is no
encryption. They are talking clear text.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On

Behalf

Of Brad Stone
Sent: Wednesday, November 26, 2025 12:15 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

The SSL APIs used in the agent should handle all that. If you
have TLS set up properly and your QSSL* system values set up

right

and are on V7R3 or above, the only thing you may need to do is
import the CA chain used by the certificate on the server.

On Wed, Nov 26, 2025 at 11:10 AM <smith5646midrange@xxxxxxxxx>

wrote:

I have a client that has a custom server / agent software

package.

The server runs on windows. The agent runs on the IBMi and

some

other platforms. They want to add TLS1.2 protocol to the
communication and I have to do the IBMi side. I'm apparently
not googling with the right keywords because I'm not finding

any

details on how to implement it. Are there code changes that
need to be made? It is just a different port and the

encryption

/ decryption

automatically happens?

I'm lost. Can someone point me in the right direction for what
changes have to be made to the IBMi agent for TLS1.2? I'll

take

web links, keywords for google searches, of anything else that
get me heading in the right direction. I am open to doing a
teams meeting if that would be easier. Just send me an offline
request with times that you are available.



Thanks in advance.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or
change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any

subscription

related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or

change

list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or

change

list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:

MIDRANGE-L@xxxxxxxxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:

MIDRANGE-L@xxxxxxxxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)

mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)

mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To

subscribe,

unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related

questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related

questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.