Hi everyone.

I am working with 3rd party ssystem, that provides a web interface for their services.  Have to use get/put/post for various things.  Their examples use curl.  I tested the connection on my system using curl.  There is an error with the SSL certificate(s) apparently, as curl complains until I add the -k (--unsecure) option.   That's fine, there is no private data, and everything will be inside a vpn.  BUT. When I try to connect using RMNET, I get an error 7.  When I check the NetGetError, the text is: "SSL peer certificate or SSH remote key was not OK".  Fine.  That's basically what curl said.  So I tried the NetSSLVerifyPeer command to turn off the verify.  Same error.  (Note: The response-LEN is zero when doing the HttpGet)

Flow:

CALL "NetInit" GIVING AIMS-STATUS-CODE.

CALL "NetSSLVerifyPeer" USING 0 GIVING AIMS-STATUS-CODE.

CALL "HttpGet" USING

   AIMS-URL

   AIMS-RESPONSE-PTR

   AIMS-RESPONSE-LEN

   AIMS-EXTRA-HDRS

   GIVING AIMS-STATUS-CODE.

CALL "NetGetError" USING

   AIMS-RESPONSE-PTR

   AIMS-RESPONSE-LEN

   GIVING AIMS-RESPONSE-CODE-2.

Here's the curl command:

curl -k -X 'GET' \\
  '192.168.198.11:9002/.../standardDataMap' \\
  -H 'accept: application/json;charset=UTF-8' \\
  -H 'api-key: DVIOsWOU.zLhLByGfmXfvsTaxkACbodSKEOMlMPqCKaj'

The output is basically a json string showing the data map that was requested.

Using 10.4.1, with -y librmnet64.so on the command line.  ( I used "strings librmnet64.so | fgrep -i acu" to confirm the library is 10.4.1)

Note: I searched the community and found that entry where they had certificat problem but using NetSSLVerifyPeer fixed things.  I was already trying that, but the entry is why I now use litarl 0 instead of a numeric variable with value of zero.  No difference either way.

No idea what to check next.  (Looking into getting the certificate issue fixed.  I think it's a self-cert kind of thing.  But it would be nice to get this working properly)

An update from that 3rd party shows one option is to "Have the tool trust the self-signed certificate", then explained where to find the self-signed certificate of this application, and gave us the key.   Once I have the certificate file, can I use it with those other RMNET function(s) to get around the failed trust?  That is, can I use:

   NetSetSSLCA or

   NetSetSSLCert or

   NetSetSSLKey or

   NetSetKeyPassword

with that certificate, and get past the trust failure?

And, just a reminder, the NetSSLVerifyPeer won't turn off the check.  That's the first thing they suggested (Update the internal tool to be able to run insecurely... like curl -k...), but as previously mentioned, I already tried that and it's not working.

A thought: anyone have a suggestion for an internet URL I can connect to that IS trusted, so I can test that the program code is fine, and it's just the site setup that's the issue? 

I tested RMNET in 10.4.1 against https://getacert.com using NETSSLVERIFYPEER set to 0, and it worked OK and allowed the insecure connection. You would need to raise a support case and provide more information for us to look into this further and see if there is a bug.

To trust a self-signed cert, you would need to get the vendor's CA certificate and import that on to your machine or use the NetSetSSLCA option in RMNET.

Thank you

Thank you for the info.  I was able to use that website as a test url in my program.  I connected to getacert and that worked.  So the verifypeer is succesfully turned off.  (In the same session, I also tried the 3rd party server too, but it still fails with status 7)   I actually turned on verifypeer and tried getacert again.  Got that status 7 error as I would expect to.   Which is just like the 3rd party server does, whether verifypeer is on or off.    Do I have a problem with verifyhost? (got that from a google search).  I extracted some log info below, so you can see the URL used.  

Note: The "Empty response" and "No error" literals are put in by me, so the log doesn't simply have missing text in those spots.

Note: I included a header withe the getacert connection, just to be consistent with what I am doing for the 3rd party connection. 

From my log, here's the results of connecting to the 3rd party server:

AIMS-ITEM-MAP-GET:
Url - 192.168.198.11:9002/.../standardDataMap
Hdr - api-key: DVIOsWOU.zLhLByGfmXfvsTaxkACbodSKEOMlMPqCKaj~~
Rsp - Empty response
Sts - 00000007: SSL peer certificate or SSH remote key was not OK
 

ANd this is what I get connecting to the getacert.com website.  The html continues on for a while, so it's truncated.

<LogTime 15:36:20.86>
GETACERT TEST:
Url - https://getacert.com
Hdr - api-key: DVIOsWOU.zLhLByGfmXfvsTaxkACbodSKEOMlMPqCKaj~~
Rsp - <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/ht
ml4/strict.dtd">
<html>
    <head>

...

</body>
</html>
 
Sts - 00000000: No error
 

ANd here's the log when I turned verifypeer back on, just to confirm getacert would fail.  And you can see it looks just like the 3rd party access failure.

<LogTime 15:43:35.85>
GETACERT TEST:
Url - https://getacert.com
Hdr - api-key: DVIOsWOU.zLhLByGfmXfvsTaxkACbodSKEOMlMPqCKaj~~
Rsp - Empty response
Sts - 00000007: SSL peer certificate or SSH remote key was not OK

That is strange if the same thing works OK when using curl with the --insecure parameter. It's hard to say what’s happening without debugging it myself.

Instead of a self-signed certificate, are you able to use 'minica' to generate a certificate? That will provide you with a CA certificate to install on your machine or use with RMNet directly? That should work around the issue until you get permanent certificates - https://github.com/jsha/minica

Another idea; should the address be https://192.168.198.11:9002 or just simply 192.168.198.11:9002 as you have been using?

The lack of "https://" in the log text is just a copy/paste error on my part.  (I got excited for a moment, thinking it was just something that simple.)

I tried a couple of things, and I am working with the software provider to see about working with http instead of https.  Also, I hope to set up a test system later just to see what is wrong with the connection, by working with you. .  More as I know more. Bottom line, the verifypeer option is working as designed.

I grabbed a copy of the curl git repository, and did a quick check.  The --insecure option (aka -k) turns off verifypeer AND verifyhost.  Does the RMNET verifypeer function also turn off verifyhost.  Or do we have a missing function in the RMNET library?