Greg,
We had similar issues with TLSV1.3. I was informed by our network folks that every device in the chain must support TLSV1.3, and some did not. We disabled TLSV1.3, all issues went away. TLSV1.3 is scheduled to be implemented across all devices later this year.
Paul
-----Original Message-----
From: RPG400-L <rpg400-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Greg Wilburn
Sent: Friday, April 9, 2021 3:39 PM
To: RPG programming on IBM i <rpg400-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: ssl_error(406)
SK,
Thanks for the response... I've already fallen into the rabbit hole.
I had IBM support help me take a communications trace... they thought the handshake was fine and the connection reset occurs after the negotiation.
I was pulling the certificate information out of http_debug.txt. I thought it was odd that the "local" certificate from our server was dumped there. I have the whole chain on our system in DCM. There is no reason to question the certificates.
The only reason I questioned the certificate negotiation at all was because another application (that uses HTTPAPI as well) began having random communications failures after I added TLSV1.3 to QSSLPCL on our server (in an attempt to rectify this issue). That application (JetPay) uses an older version of HTTPAPI. I have since removed TLSV1.3 from QSSLPCL and all is good with that application.
Just as you cautioned, the server side support is almost no help at all.
I don't understand why GETURI will work with this web service, while it drops communications with an HTTPAPI connection. I almost have to be doing something wrong.
To complicate things even more, we are migrating to a new Power9 system tomorrow - same OS level (v7r3) but more recent PTFs.
So maybe the problem will resolve with PTF updates?
Thx,
Greg
-----Original Message-----
From: RPG400-L [mailto:rpg400-l-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: Friday, April 09, 2021 2:28 PM
To: rpg400-l@xxxxxxxxxxxxxxxxxx
Subject: Re: ssl_error(406)
Greg,
Previously, you were getting a connection reset prior to it being able to negotiate certificates. Has that changed?
I don't know anything about this method you are using to verify the certificate... But, typically when you verify a certificate you need the whole chain, not just one cert. Do you have the rest of the chain loaded into the verify tool already?
I'm a little worried about "going down the rabbit hole" trying to verify certificates... is there a genuine reason to believe that there is something wrong with the server's certificate?
-SK
On 4/8/2021 3:45 PM, Greg Wilburn wrote:
Still looking at this...
Not sure if this means anything, but the debug test shows a dump of the local-side certificate. I didn't see that in other httpapi debug files I have on our system. The certificate string in http_debug.txt looked "too short" to me.
So I copied the certificate string, saved it on my PC as a .cer file
and opened it. Under Certificate Information it says "Windows does not have enough information to verify this certificate."
Grasping at straws here.
--
This is the RPG programming on IBM i (RPG400-L) mailing list To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
--
This is the RPG programming on IBM i (RPG400-L) mailing list To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
As an Amazon Associate we earn from qualifying purchases.