Re: Using TLS1.2 with IBMi custom agent software

I'm aware GETURI is it's own thing, didn't mean to suggest it was built on
HTTP API.

I was merely wondering if HTTP API might allow for other TCP comms as you
suggested GEURI does.

CHarles

On Wed, Nov 26, 2025 at 3:21 PM Brad Stone <bvstone@xxxxxxxxx> wrote:

Contrary to (probably) popular belief, GETURI doesn't use HTTPAPI. It was
actually written a year or two before. Long story as to why, but lets just
say I saved/made a customer a lot of money on UPS refunds... until UPS
realized what we were doing and didn't allow us to scrape their screens for
late shipments any more..haha.

On Wed, Nov 26, 2025 at 4:08 PM Charles Wilt <charles.wilt@xxxxxxxxx>
wrote:

Hmmm...

A quick glance at the source for HTTPAPI and I don't see that it

requires a

non-blank METHOD (in http_req()).

Not sure it'd work, but maybe...

Charles



On Wed, Nov 26, 2025 at 2:44 PM Brad Stone <bvstone@xxxxxxxxx> wrote:

GETURI isn't HTTP only. It's mainly used for that, yes, but it can be

used

for other TCPIP communications. I think one time I even set it up to

do

FTP.

It asks whether you want to close the connection... So, technically,

you

could perform a sequence of operations over the same connection... I
haven't fully tested it lately, but in the past it was used for that

type

of thing.

And you can build headers totally custom, or use no headers at all and

just

send a payload.



On Wed, Nov 26, 2025 at 3:23 PM Charles Wilt <charles.wilt@xxxxxxxxx>
wrote:

I would assume that since your client is using sockets

directly...it's

using some custom protocol..

If that's the case, then HTTPAPI or GETURI aren't really an option

unless

the server is re-writen to use standard HTTP as a protocol.

On the other hand, it's possible that the client/server is actually

using

HTTP, if that case you could simply re-write the client to use

HTTPAPI

or

GETURL.
Would be a bit strange for this to be the case, as HTTPAPI or GETURI

would

have made this much easier from the get go.
Unless the client/server app pre-dates those two tool sets.

HTH,
Charles




On Wed, Nov 26, 2025 at 2:07 PM <smith5646midrange@xxxxxxxxx> wrote:

By rewriting the server, I meant if they wanted to change the IBMi

client

to do HTTPAPI or GETURI. I assumed that I couldn't use HTTPAPI or

GETURI

on the IBMi client while the server is still trying to communicate

the

current way...or was that a bad assumption?

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf

Of

Brad Stone
Sent: Wednesday, November 26, 2025 2:35 PM
To: Midrange Systems Technical Discussion <

midrange-l@xxxxxxxxxxxxxxxxxx

Subject: Re: Using TLS1.2 with IBMi custom agent software

No, the server has nothing to do with the client on your IBM i.

You

said

the server runs on a Windows system. They would have their own

changes

to

make if they don't already allow SSL/TLS.

Yes, those are the basic socket APIs in your client application.

There's

a whole other set and some other functions to use GSKit for TLS.

https://www.ibm.com/docs/en/i/7.4.0?topic=sockets-global-security-kit-gskit-apis

You can also go deeper with the GSKit APIs and catch and ignore

errors

if

the CA that signs the server's certificate if it's not in the

*SYSTEM

store

on the IBM i (which is built into GETURI and I think HTTPAPI as

well).

On Wed, Nov 26, 2025 at 1:13 PM <smith5646midrange@xxxxxxxxx>

wrote:

To rewrite the client to use HTTPAPI or GETURI, I'm assuming they
would need to rewrite the server (is that a valid assumption?)

which

I'm sure they will not do because it communicates with other

clients

that would also have to be rewritten.

The current logic is using procedures like

opnskt pr 10i 0 extproc('socket')
bind pr 10i 0 extproc('bind')
connect pr 10i 0 extproc('connect')
listen pr 10i 0 extproc('listen')
accept pr 10i 0 extproc('accept')
send pr 10i 0 extproc('send')

Since it is currently using the above procedures, is changing it

to

use
TLS1.2 via the IBMi APIs going to be really painful and time

consuming

(and thus expensive) and I should try to talk them out of it?

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On

Behalf

Of

Brad Stone
Sent: Wednesday, November 26, 2025 1:28 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

Yes. Your client application needs to use socket APIs for any
communication. It does already, correct? If not, how is it
communicating? HTTPAPI? GETURI? SQL? Something else?

If SSL is required, then you need to use the SSL versions of

those

socket APIs instead of the basic ones... and yes, the GSKit

APIs..

IBM has basically said they aren't updating the older SSL APIs

any

more.

It would probably be easier to rewrite the client app to use

HTTPAPI

or GETURI as it's a little complicated.

On Wed, Nov 26, 2025 at 12:20 PM <smith5646midrange@xxxxxxxxx>

wrote:

They are currently not using any encryption at all. It is

clear

text only. They want to add TLS1.2 encryption.

You said "The SSL APIs used in the agent should handle all

that".

Since there are currently no SSL APIs in the program, it sounds

like

the piece that I have been missing in my search is that I need

to

add some SSL API logic to the program. Is that a correct

deduction?

I never thought about the TLS logic being API stuff (duh).
Searching for "IBMi TLS API", I see stuff about GSKit. Is that

the

direction that I need to go for TLS1.2?


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On

Behalf

Of Brad Stone
Sent: Wednesday, November 26, 2025 12:59 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

So you're not using TLS if there's no encryption. If you're

saying

they are wanting to use TLS, my answer still stands.

On Wed, Nov 26, 2025 at 11:17 AM <smith5646midrange@xxxxxxxxx>

wrote:

Wow, I missed a key piece of info in that. Currently there

is

no

encryption. They are talking clear text.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On

Behalf

Of Brad Stone
Sent: Wednesday, November 26, 2025 12:15 PM
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Using TLS1.2 with IBMi custom agent software

The SSL APIs used in the agent should handle all that. If

you

have TLS set up properly and your QSSL* system values set up

right

and are on V7R3 or above, the only thing you may need to do

is

import the CA chain used by the certificate on the server.

On Wed, Nov 26, 2025 at 11:10 AM <

smith5646midrange@xxxxxxxxx>

wrote:

I have a client that has a custom server / agent software

package.

The server runs on windows. The agent runs on the IBMi and

some

other platforms. They want to add TLS1.2 protocol to the
communication and I have to do the IBMi side. I'm

apparently

not googling with the right keywords because I'm not

finding

any

details on how to implement it. Are there code changes

that

need to be made? It is just a different port and the

encryption

/ decryption

automatically happens?

I'm lost. Can someone point me in the right direction for

what

changes have to be made to the IBMi agent for TLS1.2? I'll

take

web links, keywords for google searches, of anything else

that

get me heading in the right direction. I am open to doing

a

teams meeting if that would be easier. Just send me an

offline

request with times that you are available.



Thanks in advance.

--
This is the Midrange Systems Technical Discussion

(MIDRANGE-L)

mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe,

or

change list options,
visit:

https://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives

at

https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any

subscription

related questions.

--
This is the Midrange Systems Technical Discussion

(MIDRANGE-L)

mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or

change

list options,
visit:

https://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives

at

https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any

subscription

related questions.


--
This is the Midrange Systems Technical Discussion

(MIDRANGE-L)

mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or

change

list options,
visit:

https://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives

at

https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any

subscription

related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:

MIDRANGE-L@xxxxxxxxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any

subscription

related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:

MIDRANGE-L@xxxxxxxxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any

subscription

related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)

mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)

mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)

mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To

subscribe,

unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related

questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)

mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related

questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)

mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related

questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related

questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.