Something of a plug; hit delete if you wish. X-Posted RACF-L and IBM-MAIN.
I have been reading and sometimes responding to various people’s “help me with
my certificate problem” posts here for years. I have been kicking around
various approaches to certificate problem resolution with my friend
Colin Paice replied, basically confirming what I'd found. In retrospect it
all feels silly but ain't that usually the case? Thanks again!
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to
Going back to the first message...
I'm getting this trying to use a self-signed certificate. I put it into
gskkyman and when I try to connect (outbound from z/OS) I get
Certificate validation error
from GSK_SECURE_SOCKET_INIT. Running a gsktrace shows:
09/07/2022-17:30:14 Thd-1 ERROR
Charles Mills wrote:
>Where did this self-signed certificate come from? What tool generated it?
It was internally generated. That's all I know. It's a test system.
>Case should not be a problem in a self-signed certificate. Technically I
guess it is possible but you would almost have to do
Where did this self-signed certificate come from? What tool generated it?
Case should not be a problem in a self-signed certificate. Technically I guess
it is possible but you would almost have to do it on purpose.
I think the trace is pretty clear. I don't fully understand the big picture,
Phil,
Yes, it's TLSv1.3:
sorry I missed this.
You mean the label in the gskkyman entry?
I was thinking the entry, Cert that was added to RACF, that's where I had
similar issues.
sorry I could not be more help
Carmen
On 9/8/2022 10:31 AM, Phil Smith III wrote:
Yes, it's TLSv1.3:
Carmen Vitullo asked:
>Phil, was this output from an SSL trace?
Yes.
>IIRC there's usually more data related to a cert error, it's been 7, or
>8 years since I ran the trace but usually the trace data
>shows the TLS version also, it's a stretch but are you running TSL 1.1
>or higher?
Phil, was this output from an SSL trace?
IIRC there's usually more data related to a cert error, it's been 7, or
8 years since I ran the trace but usually the trace data
shows the TLS version also, it's a stretch but are you running TSL 1.1
or higher?
I'd agree with Attila also, I've had
Attila Fogarasi kindly replied suggesting a case problem, which I'm
perfectly willing to believe but don't have any idea how to verify. Nothing
LOOKS off.
Meanwhile, some more digging suggests that it may be that the error message
is actually correct and clear, FSVO clear!
If I run
openssl
Gskkyman is case sensitive for issuer name etc. while most other
implementations are case INsensitive. For the good reason that the world
is filled with wrong-case names. The RFC standard allows both, and lots of
certificates that work otherwise will fail for Gskkyman until the case is
fixed to
I'm getting this trying to use a self-signed certificate. I put it into
gskkyman and when I try to connect (outbound from z/OS) I get
Certificate validation error
from GSK_SECURE_SOCKET_INIT. Running a gsktrace shows:
09/07/2022-17:30:14 Thd-1 ERROR check_cert_extensions_3280_and_later():
Basic
11 matches
Mail list logo