Hi,

I've been consuming web services with ASA 9.0.2.3267+ for several years
now. One of the sites that I do business with had their certificate expire
this month, and got a new certificate from Go Daddy Secure Certification
Authority. Now when I try to consume the web service, I get the error from
ASA:

SQLSTATE = S1000
[Sybase][ODBC Driver][Adaptive Server Anywhere]The secure connection to the
remote host failed: The TLS handshake failed, error code -6983

Their old certificate, that worked just fine, was issued by Starfield
Secure Certification Authority.

What would be causing this error? Doesn't ASA recognize Go Daddy as a
valid certificate authority? Is there any way around this? Can ASA be made
to allow the connection?
Thanks!

JR

JR wrote:
ASA doesn't recognize anything by itself -- you need to supply a
certificate to trust. In this case, the server's certificate should be
signed by GoDaddy, so supplying the GoDaddy certificate (should be
publicly available) should work.

Look at how the web procedure was created; it should specify a
certificate. You'll need to alter the procedure to use a different
certificate.

--

Graeme Perrow
Senior Software Developer
gperrow _at_ ianywhere _dot_ com
iAnywhere Solutions Inc.
A Sybase company

Whitepapers, TechDocs, bug fixes are all available through the iAnywhere
Developer Community at http://www.ianywhere.com/developer/

"Graeme Perrow" <ReplyToNewsgroupOnly-gperrowNO (AT) SPAMianywhere (DOT) PLEASEcom>
wrote in message news:47161280 (AT) forums-1-dub (DOT) ..
The web procedure was created to use a dynamic certificate. I supplied the
new certificate, and it did not work.

JR wrote:
Did you give it the same certificate as the web server is using, or the
signing certificate? You should be giving it the signing certificate.

--

Graeme Perrow
Senior Software Developer
gperrow _at_ ianywhere _dot_ com
iAnywhere Solutions Inc.
A Sybase company

Whitepapers, TechDocs, bug fixes are all available through the iAnywhere
Developer Community at http://www.ianywhere.com/developer/

"Graeme Perrow" <ReplyToNewsgroupOnly-gperrowNO (AT) SPAMianywhere (DOT) PLEASEcom>
wrote in message news:47166670$1 (AT) forums-1-dub (DOT) ..
I gave it the signing certificate. I've been doing this for years, since ASA
9 offered the ability to do it. I understand how the call works, and how the
certificate works, and I assure you that I am passing the proper information
to the webservice.

JR wrote:
You reported that you are getting error code -6983, which is an
indication of an incomplete certificate chain. Possibly the certificate
used by the server does not contain the entire signing certificate chain.

Have you tried the readcert.exe utility? Run that on the server's
certificate. If it says "Failed to validate certificate chain", the
server certificate doesn't contain the entire chain.

--

Graeme Perrow
Senior Software Developer
gperrow _at_ ianywhere _dot_ com
iAnywhere Solutions Inc.
A Sybase company

Whitepapers, TechDocs, bug fixes are all available through the iAnywhere
Developer Community at http://www.ianywhere.com/developer/

"Graeme Perrow" <ReplyToNewsgroupOnly-gperrowNO (AT) SPAMianywhere (DOT) PLEASEcom>
wrote in message news:471f7723$3 (AT) forums-1-dub (DOT) ..
Apparently it was something in the chain. The entity told me they had to
install an intermediate bundle chain file, and it resolved the trust
problem.

I was not aware of the readcert utility. I ran it against the certificate
that didn't work, as well as the new certificate that does work. Both times
it says: Failed to validate certificate chain