Phil, was this output from an SSL trace?
IIRC there's usually more data related to a cert error, it's been 7, or
8 years since I ran the trace but usually the trace data
shows the TLS version also, it's a stretch but are you running TSL 1.1
or higher?
I'd agree with Attila also, I've had my security team load a cert for me
that required mixed case, and they defined the LABEL with all caps
Carmen
On 9/7/2022 5:51 PM, Phil Smith III wrote:
I'm getting this trying to use a self-signed certificate. I put it into
gskkyman and when I try to connect (outbound from z/OS) I get
Certificate validation error
from GSK_SECURE_SOCKET_INIT. Running a gsktrace shows:
09/07/2022-17:30:14 Thd-1 ERROR check_cert_extensions_3280_and_later():
Basic Constraints extension must be critical for CA Certificate
09/07/2022-17:30:14 Thd-1 EXIT check_cert_extensions_3280_and_later(): <---
Exit status 0x03353071 (53817457)
09/07/2022-17:30:14 Thd-1 ERROR validate_certificate_basics(): Unable to
verify certificate extensions: Error 0x03353071
09/07/2022-17:30:14 Thd-1 ERROR get_issuer_certificate(): Unable to validate
CA certificate: Error 0x03353071
I find nothing for that error in the doc (either the text or the error
number). https://colinpaice.blog/2021/11/03/using-z-os-ldap-with-tls-1-3/
discusses the error, but I don't know how to check it! Other clients work
but that doesn't prove much-we know z/OS is more stringent about following
the rules than many.
Ideas?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
