Hi all
We're doing some development on an internal test server which, unfortunately, has some expired certificates:
The code:
RESPUESTA=protocolLogging(NOM.FIC.LOG,'ON',10)
RESPUESTA=setHTTPDefault('VERSION',VERSION)
RESPUESTA=createSecurityContext(SECCONTEXT.HANDLE, PROTOCOLO.SEGURO)
RESPUESTA=addAuthenticationRule(SECCONTEXT.HANDLE, SSL_CLIENT, SSL_RULE_SERVER_NAME, SERVER_NAME)
RESPUESTA=addAuthenticationRule(SECCONTEXT.HANDLE,SSL_CLIENT,SSL_RULE_STRENGTH,'generous')
RESPUESTA=createSecureRequest(URL.SERVICIO,TIPO.LLAMADA,HTTP.HANDLE,SECCONTEXT.HANDLE)
MAX.CAB=DCOUNT(DATO.CABECERA,@VM)
FOR C=1 TO MAX.CAB
RESPUESTA=setRequestHeader(HTTP.HANDLE,DATO.CABECERA<1,C>,VALOR.CABECERA<1,C>)
CRT ' Pasa dato en header [':DATO.CABECERA<1,C>:'] [':VALOR.CABECERA<1,C>:'] [':RESPUESTA:'] '
IF RESPUESTA#0 THEN GOTO 90
NEXT C
RESPUESTA=setHTTPDefault('BUFSIZE',DIM.BUFFER)
RESPUESTA=submitRequest(HTTP.HANDLE,TIME.OUT,'',CABECERA.RESPUESTA,DATOS.RESPUESTA,HTTP.STATUS)From the logs:
09/08/2025 11:43:45 [ 154369 154365 ] setHTTPDefault ... name=VERSION,value=1.1
09/08/2025 11:43:45 [ 154369 154365 ] set default HTTP version: 1.1
09/08/2025 11:43:45 [ 154369 154365 ] createSecurityContext ... version=TLSv1.2
09/08/2025 11:43:45 [ 154369 154365 ] security context 0x250e770 allocated
09/08/2025 11:43:45 [ 154369 154365 ] empty version qualifier: use default
09/08/2025 11:43:45 [ 154369 154365 ] version 1 SCR created, SSL min_ver=5,map=48
09/08/2025 11:43:45 [ 154369 154365 ] addAuthenticationRule ... rule=ServerName,ruleString=localhost:6443,serverorclient=2
09/08/2025 11:43:45 [ 154369 154365 ] addAuthenticationRule ... rule=VerificationStrength,ruleString=generous,serverorclient=2
09/08/2025 11:43:45 [ 154369 154365 ] createSecureRequest ... 257bb90: URL=https://localhost:6443/QuiterGatewayWeb/qawServer?metodo=consulta&pass=-zB@8dt!7@Yd4W1V,method=GET
09/08/2025 11:43:45 [ 154369 154365 ] current Request date: Mon, 08 Sep 2025 09:43:45 GMT
09/08/2025 11:43:45 [ 154369 154365 ] setHTTPDefault ... name=BUFSIZE,value=4096
09/08/2025 11:43:45 [ 154369 154365 ] submitRequest ... Var 257bb90: host=localhost:6443,timeout=5000
09/08/2025 11:43:45 [ 154369 154365 ] new header User-Agent added with value Rocket UniVerse 12.x
09/08/2025 11:43:45 [ 154369 154365 ] Assembled Request (body omitted,length=0):
GET /QuiterGatewayWeb/qawServer?metodo=consulta&pass=-zB@8dt!7@Yd4W1V HTTP/1.1
Date: Mon, 08 Sep 2025 09:43:45 GMT
Host: localhost:6443
User-Agent: Rocket UniVerse 12.x
09/08/2025 11:43:45 [ 154369 154365 ] HTTP_START: timeout=5000
09/08/2025 11:43:45 [ 154369 154365 ] HTTP_CONNECT
09/08/2025 11:43:45 [ 154369 154365 ] new host 0x256a760:localhost:6443 allocated (proxy:no)
09/08/2025 11:43:45 [ 154369 154365 ] getting address info...
09/08/2025 11:43:45 [ 154369 154365 ] finding address family (socket ipv=0)...
09/08/2025 11:43:45 [ 154369 154365 ] found address family 10
09/08/2025 11:43:45 [ 154369 154365 ] socket 0x2590ba0 allocated
09/08/2025 11:43:45 [ 154369 154365 ] got default socket buf size=65536
09/08/2025 11:43:45 [ 154369 154365 ] got default socket buf size=87380
09/08/2025 11:43:45 [ 154369 154365 ] connecting ...
09/08/2025 11:43:45 [ 154369 154365 ] getsockopt returned: 0,SO_ERROR=0,errno=115
09/08/2025 11:43:45 [ 154369 154365 ] do reverse lookup...
09/08/2025 11:43:45 [ 154369 154365 ] start SSLbinding ...
09/08/2025 11:43:45 [ 154369 154365 ] SSL CTX cache enabled
09/08/2025 11:43:45 [ 154369 154365 ] SSL session cache enabled
09/08/2025 11:43:45 [ 154369 154365 ] calculating SCR hashkey...
09/08/2025 11:43:45 [ 154369 154365 ] SCR hashkey: EarcYoUYjRtCVbdtUeKXHYjLxGE=
09/08/2025 11:43:45 [ 154369 154365 ] calculating session hashkey for localhost6443U2tempctx
09/08/2025 11:43:45 [ 154369 154365 ] loading SSL method ...
09/08/2025 11:43:45 [ 154369 154365 ] system configured SSL_OPTIONS=0
09/08/2025 11:43:45 [ 154369 154365 ] Not set SSL option LEGACY_SERVER_CONNECT
09/08/2025 11:43:45 [ 154369 154365 ] get SSL_SECURITY_LEVEL from env, SSL_SECURITY_LEVEL = 1
09/08/2025 11:43:45 [ 154369 154365 ] ssl security level(1) in ctx is the same as the one specieid in uvconfig.
09/08/2025 11:43:45 [ 154369 154365 ] v1 SCR protocols=48
09/08/2025 11:43:45 [ 154369 154365 ] system allowed SSL_PROTOCOLS=28
09/08/2025 11:43:45 [ 154369 154365 ] disabled SSLv2
09/08/2025 11:43:45 [ 154369 154365 ] disabled SSLv3
09/08/2025 11:43:45 [ 154369 154365 ] disabled TLSv1
09/08/2025 11:43:45 [ 154369 154365 ] disabled TLSv1.1
09/08/2025 11:43:45 [ 154369 154365 ] disabled TLSv1.3
09/08/2025 11:43:45 [ 154369 154365 ] Info: No self-cert file set in context (OK for client)!
09/08/2025 11:43:45 [ 154369 154365 ] Info: No private key available, OK for client.
09/08/2025 11:43:45 [ 154369 154365 ] Loading root certificate store...
09/08/2025 11:43:45 [ 154369 154365 ] read_file: try reading data from /usr/uv/.u2rcs...
09/08/2025 11:43:45 [ 154369 154365 ] Installing cert from root certificate store...
09/08/2025 11:43:45 [ 154369 154365 ] Total root certs loaded from U2 RCS: 146
09/08/2025 11:43:45 [ 154369 154365 ] client auth depth 0 is not valid, set default 5
09/08/2025 11:43:45 [ 154369 154365 ] set client auth depth=5
09/08/2025 11:43:45 [ 154369 154365 ] loading random seed data from /u2/quiter/POSVENTA5/.rnd
09/08/2025 11:43:45 [ 154369 154365 ] random seed data loaded
09/08/2025 11:43:45 [ 154369 154365 ] current ssl security level:1
09/08/2025 11:43:45 [ 154369 154365 ] SSL structure 0x26c2590 initialized
09/08/2025 11:43:45 [ 154369 154365 ] check if SNI is required...
09/08/2025 11:43:45 [ 154369 154365 ] set server name extension to localhost:6443
09/08/2025 11:43:45 [ 154369 154365 ] system configured SSL_OPTIONS=0
09/08/2025 11:43:45 [ 154369 154365 ] No setting SSL option TLS_FALLBACK_SCSV
09/08/2025 11:43:45 [ 154369 154365 ] socket bio initialized
09/08/2025 11:43:45 [ 154369 154365 ] socket bio set
09/08/2025 11:43:45 [ 154369 154365 ] ssl 0x26c2590: app data (sock=0x2590ba0) set
09/08/2025 11:43:45 [ 154369 154365 ] ssl session_id is set using Rl6LJ91rAljNa4EWdZHslcPPLtI=,28
09/08/2025 11:43:45 [ 154369 154365 ] no session reuse is requested or possible.
09/08/2025 11:43:45 [ 154369 154365 ] system configured SSL_OPTIONS=0
09/08/2025 11:43:45 [ 154369 154365 ] socket HANDSHAKE_TIMEOUT for client option is not enabled.
09/08/2025 11:43:45 [ 154369 154365 ] begin SSL connect ...
09/08/2025 11:43:45 [ 154369 154365 ] SSL trace: Handshake: start
09/08/2025 11:43:45 [ 154369 154365 ] Verification strength: generous
09/08/2025 11:43:45 [ 154369 154365 ] UniSSL: obtaining cert chain...
09/08/2025 11:43:45 [ 154369 154365 ] got 3 certs in cert chain
09/08/2025 11:43:45 [ 154369 154365 ] SSL Certificate Verification: ok=1,errnum=0
depth: 2
subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
09/08/2025 11:43:45 [ 154369 154365 ] Peer certificate verified by SSL handshake(generous)
09/08/2025 11:43:45 [ 154369 154365 ] Verification strength: generous
09/08/2025 11:43:45 [ 154369 154365 ] SSL Certificate Verification: ok=1,errnum=0
depth: 1
subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte TLS RSA CA G1
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
09/08/2025 11:43:45 [ 154369 154365 ] Peer certificate verified by SSL handshake(generous)
09/08/2025 11:43:45 [ 154369 154365 ] Verification strength: generous
09/08/2025 11:43:45 [ 154369 154365 ] SSL Certificate Verification: ok=0,errnum=10
depth: 0
subject: /C=ES/ST=CANTABRIA/L=Santander/O=Quiter Servicios Informaticos S.L./CN=*.quiterdms.com
issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte TLS RSA CA G1
09/08/2025 11:43:45 [ 154369 154365 ] Peer certificate not verified.
Reason: 10, certificate has expired
09/08/2025 11:43:45 [ 154369 154365 ] SSL connect error: -1!
8077282F397F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1890:
09/08/2025 11:43:45 [ 154369 154365 ] SSLbinding failed!
09/08/2025 11:43:45 [ 154369 154365 ] Authentication error, peer certChain:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
09/08/2025 11:43:45 [ 154369 154365 ] destroySocket(): socket 0x2590ba0 status=1, refs=1
09/08/2025 11:43:45 [ 154369 154365 ] closeSocket 0: 0x2590ba0,status=1,ssl=0,(nil), refs=1
09/08/2025 11:43:45 [ 154369 154365 ] Socket 0x2590ba0 closed and freed: 0(Server authentication failure: certificate verify failed) 0(Server authentication failure: certificate verify failed)
09/08/2025 11:43:45 [ 154369 154365 ] Secure Socket (localhost:6443) not opened
09/08/2025 11:43:45 [ 154369 154365 ] HTTP_ERROR, status=3
09/08/2025 11:43:45 [ 154369 154365 ] Host 0x256a760 freed
09/08/2025 11:43:45 [ 154369 154365 ] freeReq: req=0x257bb90, ref=1 (when ref=1 req is freed)
09/08/2025 11:43:45 [ 154369 154365 ] destroySctx: 0x250e770, refs=1
09/08/2025 11:43:45 [ 154369 154365 ] security context 0x250e770 freed
Is there a way to tell the securityContext to ignore certificate checks? Something like the "--insecure" flag in curl?
------------------------------
Héctor Cortiguera
Quiter Servicios Informaticos SL
------------------------------
