Tony raises a couple of good points. Debugging *is* an issue because while PKI, certificates and TLS are all awesome stuff, they are quite complex and are in that category of thing where it either works perfectly or not at all, and when it does not work you tend to get incredibly informative (not!) messages like "broken pipe."
AT-TLS has the further advantage that I think it will be harder to screw it up and leave a gaping security hole that you are unaware of. Really! Incredibly easy to do with OpenSSL; not as easy with GSK but still possible. If you want to read scary paper check out http://www.cs.usfca.edu/~ejung/courses/f12683/presentations/FinalSecPres2.pptx and https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tony Harminc Sent: Friday, March 11, 2016 10:00 AM To: [email protected] Subject: Re: Linking C module with SSL On 11 March 2016 at 06:29, Robin Atwood <[email protected]> wrote: > Yes, I mean GSK. Is it supported for assembler code? We have a server > written almost entirely in assembler which uses the BPX1xxx Unix > functions for TCP/IP. I didn't see any SSL support, though, and I am > guessing you cannot directly call the C gsk routines. The server *is* > LE enabled, if that helps. If you have existing assembler code using the BPX1 Assembler Callable Services for TCP sockets, then you may do better to use AT-TLS to implement TLS in your app. You can just leave the application alone and manage everything externally, or you can use extensions to the familiar BPX1IOC w_ioctl() function that allow you to control AT-TLS more explictly. It's not perfect, but it's not bad. However debugging is a pain because messages and trace output don't come out anywhere near where your program is running. It's not documented in the Assembler Callable Services book, nor even in the IP Sockets Programming book, but rather in the IP Programmer's Guide and Reference. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
