SSL Error Question

[NerfHerder]

Hello,
We have a program on our IBMi that leverages HTTPAPI; It is used to facilitate posting data to a business partner's URL. This has been in place for many years and has been working with no issue.
Now, it seems that the partner has updated the SSL cert used on their site; Previous cert was issued by Comodo CA... the new cert is issued by Sectigo CA.
Since they updated their cert, we have not been able to connect using HTPAPI. We are using a very old version of HTTPAPI, which may be contributing to the issue, but alas.
I believe that the issue is that the server's SSL cert won't chain up - and we need to add the Sectigo CA bundle... somewhere. This is the question. where does this need to be? In DCM? I log into DCM and open the *SYSTEM store... there really isn't much of anything there.
Is there some other cert store where we might need to add the Sectigo CA bundle?
Is there any config settings anywhere for the HTTPAPI that we might look at?

Our developer ran in debug, and this is what we get...

Code: Select all

HTTPAPI Ver 1.12 released 2005-08-12

New iconv() objects set, ASCII=819. EBCDIC=0
http_url_post_stmf(): entered
getting post file size...
opening file to be sent...
opening file to be received
http_persist_open(): entered
http_long_ParseURL(): entered
https_init(): entered
-------------------------------------------------------------------------------------
Dump of local-side certificate information:
-------------------------------------------------------------------------------------
(GSKit) Peer not recognized or badly formatted message received.
ssl_error(415): (GSKit) Peer not recognized or badly formatted message received.
SetError() #30: SSL Handshake: (GSKit) Peer not recognized or badly formatted message received.
-------------------------------------------------------------------------------------
Dump of server-side certificate information:
-------------------------------------------------------------------------------------
Cert Validation Code = 0
(GSKit) An operation which is not valid for the current TLS session state was attempted.
ssl_error(5): (GSKit) An operation which is not valid for the current TLS session state was attempted.
(GSKit) An operation which is not valid for the current TLS session state was attempted.
http_url_post_stmf(): entered
getting post file size...
opening file to be sent...
opening file to be received
http_persist_open(): entered
http_long_ParseURL(): entered
(GSKit) Peer not recognized or badly formatted message received.
ssl_error(415): (GSKit) Peer not recognized or badly formatted message received.
SetError() #30: SSL Handshake: (GSKit) Peer not recognized or badly formatted message received.

TIA!

[stefan@tageson.se]

What os version are running at?

[NerfHerder]

v7r4

[stefan@tageson.se]

Let's test the easy way first. In DCM - *system store you find a link "Populate with CAs". Try that one first. If that doesn't help it might be that you are missing an intermediate certificate. If you haven't made any customisations to HTTPAPI I think it's a good idea to upgrade. Just install in parallell to a different library.

[NerfHerder]

Cool. So the only certificate that is visible (initially) when I open the *SYSTEM store is the cert we use to secure telnet / 5250 sessions.
If I select the "Populate with CAs" link... that imports a bunch of CA certs from somewhere into the store? And the idea is to keep them there? And import the Sectigo root / issuing CA certs there also if needed?
I need to RTFM on how the IBMi OS does certs lol

[stefan@tageson.se]

Normally, what you see initially are the certs that has been imported as server/client certificates. The Populate CA link will install a selection of root-certificates and some intermediate ones as well from well known issuers. If you still have an issue it might be that you are missing an intermediate certificate.

[stefan@tageson.se]

If you click on the server/client link just above the certificates you will see all certificates in the system store.

[NerfHerder]

Well see what - if anything - has changed since importing the CA certificates. Will catch up with our dev tomorrow.
I did try to do an openssl connection, but it complains of a cert error as well...

Code: Select all

openssl s_client -connect www.ha.ups.com:443 -servername www.ha.ups.com
CONNECTED(00000004)                                                                  
---                                                                                  
Certificate chain                                                                    
 0 s:C = US, ST = New Jersey, O = "United Parcel Service, Inc.", CN = www.pld.ups.com
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA OV R36
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256                             
   v:NotBefore: Jan 21 00:00:00 2026 GMT; NotAfter: Jan 21 23:59:59 2027 GMT         
 1 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA OV R36
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46 
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384                             
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Mar 21 23:59:59 2036 GMT         
---                                                                                  
Server certificate                                                                   
-----BEGIN CERTIFICATE-----                                                          
MIIHcjCCBdqgAwIBAgIRAJeFGQjLq963DdGb7ble0VwwDQYJKoZIhvcNAQELBQAw                     
YDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE                     
AxMuU2VjdGlnbyBQdWJsaWMgU2VydmVyIEF1dGhlbnRpY2F0aW9uIENBIE9WIFIz                     
NjAeFw0yNjAxMjEwMDAwMDBaFw0yNzAxMjEyMzU5NTlaMGIxCzAJBgNVBAYTAlVT                     
MRMwEQYDVQQIEwpOZXcgSmVyc2V5MSQwIgYDVQQKExtVbml0ZWQgUGFyY2VsIFNl
cnZpY2UsIEluYy4xGDAWBgNVBAMTD3d3dy5wbGQudXBzLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJ6/fIVNwU9dEv3KdjwDfUMWSM3U789Ej8u9
XqtxsDXY7KdBXZLCA119ODgQjwuQn2b3e52G52DTtEipHY3C2DquWPSduipFPFww
JyCuXrOIdrSHbk4yCIZua7El5kyVa0sJw+3bqK0dfxrLiUQYoLp9WFA8oQ8GWTBb
aR6TAiSv2VZRJqzkn3TlPH/GPmeLq0yFiLturvYBj213AR57cVPSWiY1N/8R+j1E
Fdarb+tYQ4S+RN36CMHWIymsonSLdnbAonzLnJmlbzvCLah8D7JMY8uuRkUNMrpU
h4+aLu4wXoE3X/hY7Busj9tTFCa3a6ybtEoQC3Rzmol8CHjNfBcCAwEAAaOCA6Mw
ggOfMB8GA1UdIwQYMBaAFONmdLtwaI0sXU4OpkqPmzcinIKSMB0GA1UdDgQWBBSi
YLhKCko9Ed0pIbWa697SM7w7uzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIw
ADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSgYDVR0gBEMwQTA1Bgwr
BgEEAbIxAQIBAwQwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9D
UFMwCAYGZ4EMAQICMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuc2VjdGln
by5jb20vU2VjdGlnb1B1YmxpY1NlcnZlckF1dGhlbnRpY2F0aW9uQ0FPVlIzNi5j
cmwwgYQGCCsGAQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0
aWdvLmNvbS9TZWN0aWdvUHVibGljU2VydmVyQXV0aGVudGljYXRpb25DQU9WUjM2
LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wggGQBgor
BgEEAdZ5AgQCBIIBgASCAXwBegB2AByfaCzp+vBFaVD4G5aKh93bMhDYTObIsuOC
UkrEz1mfAAABm+ERfVYAAAQDAEcwRQIgW9WaVALepSjNoIDs7mwZo6TcaxxXB4XL
moPlEO/qJ/UCIQCaKS1mw+6WHoqcJCZuqqhgSsIYh+uynSiA2cI0bPnJtQB/AI7K
Rwus3mrzogawpHqEt0b+H8a/lT4l5ptO5AJI88boAAABm+ERgDIACAAABQABrrKs
BAMASDBGAiEAy7PI4shMtqhLl0BcttRu96muweuvkfZAdBX0PHijnw0CIQDkma87
qO8NqwR0aK4VJ3qmqKcXO5BAUn3ICEiUaBtZiwB/AFlubDOGlLJZcqJWyKDo3ZBK
dugIPdqHOwEIOCgUPO5ZAAABm+ERfgoACAAABQAAEutQBAMASDBGAiEAtwXeWT6Q
BUtbyxNLLOzesNzBvvpbiK6O6c1I/lfvWnoCIQCXlFulIZ9YvVBLyC4nbI36h9Xg
8eYzHvyOE3vW92TfJTBjBgNVHREEXDBagg93d3cucGxkLnVwcy5jb22CCmhhLnVw
cy5jb22CEnd3dy5oYS5wbGQudXBzLmNvbYIOd3d3LmhhLnVwcy5jb22CF3d3dy5w
bGQtY2VydGlmeS51cHMuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQBmRJMv5RaxHnJr
srs0622HIKr1VGOqHsFwwxht+wnNr8/6ttBdC0RgY9LItELGnn7OV0v6qMJ04g0U
YFWN/qDSjGE4VT5BuGLZ7SdI7YJLZqaUIi300dxHlIbBJy4PNynbvzb177e3rsu1
jAy6DHpRbgAQ4L5U0IeUNtZNSw/wbPlrx+6JLDede/gwUhA3wK6g6aOxdum2Wv7O
1hA3eAH9RSzTEteqs0TwyvF2XMJnT3jt+kDHGouqsHNr8bksZCva01PR0Z43tnDa
hgiHenzR9Ht8bCE1wqja1wh10zJKXN60PUOJzsuGZ3rH9fKz1xu0FLoj+n9Jk6Tq
FezmDDJr4JBGzCMs2diepz17ekt2cE2Mvd+VOed8K2jaXqd/yNiZb1R0RxlBF1sR
fDh1FGJV1khnYDbj0IQ5XpI3xJZcYySmBh37vcyaPfgPN99Li1ocW7E5ubqbKDnu
Npti+hvT+jj6yJe5q0No1hpwlh+wXN/ZDPJ3hM06c+aswt7QYF8=            
-----END CERTIFICATE-----                                                                
subject=C = US, ST = New Jersey, O = "United Parcel Service, Inc.", CN = www.pld.ups.com 
issuer=C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA OV R36  
---                                                                                      
No client certificate CA names sent                                                      
Peer signing digest: SHA256                                                              
Peer signature type: RSA-PSS                                                             
Server Temp Key: X25519, 253 bits                                                        
---                                                                                      
SSL handshake has read 4101 bytes and written 400 bytes                                  
Verification error: unable to get local issuer certificate                               
---                                                                                      
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384                                           
Server public key is 2048 bit                                                            
Secure Renegotiation IS NOT supported                                                    
Compression: NONE                                                                        
Expansion: NONE                                                                          
No ALPN negotiated                                                                       
Early data was not sent                                                                                             
Verify return code: 20 (unable to get local issuer certificate)                                                     
---                                                                                                                 
---                                                                                                                 
Post-Handshake New Session Ticket arrived:                                                                          
SSL-Session:                                                                                                        
    Protocol  : TLSv1.3                                                                                             
    Cipher    : TLS_AES_256_GCM_SHA384                                                                              
    Session-ID: 4E305D654AB81573A28468068C5F9D9D427D06369FFACE92D9F20AABCF095231                                    
    Session-ID-ctx:                                                                                                 
    Resumption PSK: 0D94D8DB4C00CBFD35A8702A6CF8DE9ECCB0CECF79B2D1991DDD342C786EF6D2CCF55B2D5CEEADC5E66E4B2333C7DF7D
    PSK identity: None                                                                                              
    PSK identity hint: None                                                                                         
    SRP username: None                                                                                              
    TLS session ticket lifetime hint: 83100 (seconds)                                                               
    TLS session ticket:                                                                                             
    0000 - 00 02 d7 85 be 23 b7 cf-b6 34 16 84 db 21 84 49   .....#...4...!.I                                       
    0010 - 96 f3 98 90 0e 50 b7 a9-40 f9 86 c9 af ef b5 cc   .....P..@.......                                       
    0020 - 1d 28 0f 84 d5 73 d2 fe-f6 51 77 cf 96 af c3 33   .(...s...Qw....3
    0030 - e8 3e 98 80 de 1c 22 cf-6d 95 4b 48 16 21 b9 02   .>....".m.KH.!..
    0040 - 28 8b 58 1b 00 cf 0c f9-e7 be bb 3e ce f1 32 7a   (.X........>..2z
    0050 - c5 fd 9e 11 5e 36 01 ee-85 13 19 1b a0 cb 5a 65   ....^6........Ze
    0060 - 3b 69 37 52 f1 6d 2a d8-62 a0 a8 80 4f 82 c0 16   ;i7R.m*.b...O...
    0070 - 96 d9 99 70 f6 f0 26 56-ea dd 69 cc 58 49 cc c7   ...p..&V..i.XI..
    0080 - 6a 84 f3 32 fa 9f 2c b5-8a 1c b2 d1 f0 70 b3 16   j..2..,......p..
    0090 - c2 5a d6 f4 93 b6 12 42-4b cf 99 26 10 2a a6 18   .Z.....BK..&.*..
    00a0 - 2f 33 ea e6 43 67 bd da-0d 70 98 97 90 e1 50 d2   /3..Cg...p....P.
    00b0 - b7 55 15 b0 2c 88 a2 26-13 11 36 3d 71 d7 4f d3   .U..,..&..6=q.O.
    00c0 - 69 1a 90 4c ef 25 49 c0-b1 fd 3f cb 9e 6d d4 e4   i..L.%I...?..m..
    00d0 - 70 8b 8b 84 96 7c 05 9e-cf d2 ab 12 f8 fa 7b bd   p....|........{.
    00e0 - f4 d2 be be 75 c8 be d8-a3 3a bb 56 ab fb fb 40   ....u....:.V...@
                                                                             
    Start Time: 1769490245                                                   
    Timeout   : 7200 (sec)                                                   
    Verify return code: 20 (unable to get local issuer certificate)          
    Extended master secret: no 

[Scott Klement]

What version of IBM i are you running? Are you up to date on PTFs?

The error you cite doesn't normally have to do with CA certificates being installed... more likely, the site is using a newer version of TLS (aka SSL) than your IBM i version supports.

But that's only one of many possible problems. All we really know is that it doesn't understand the format of the TLS, it may be a problem with the network, or connecting to the wrong server, or all sorts of other possibilities. Wrong SSL/TLS version is just the most common.

[NerfHerder]

Apologies- got sidetracked and never posted a follow up on this.
It ended up being the version of HTTPAPI we were running. It was older and didn't support SNI.
Upgrading resolved the issue.
Big thanks to you all!