On 16 June 2017 at 01:57, Andrew Rowley <and...@blackhillsoftware.com> wrote:
> That still doesn't really help me. I'm trying to understand how AT-TLS > guards against MITM for client connections. > > E.g. lets say I had a Cobol job that sent email. I now want to connect to > Gmail which uses TLS. Can I plug in AT-TLS without changing the job? How is > the server certificate validated? > It's validated the same way(s) any TLS client app (such as your desktop browser) validates a server certificate. I'm not sure why you seem to think this can't be done without client application program involvement. You can configure AT-TLS to perform whatever kind of cert validation you think necessary, from none to mere internal consistency to the whole CA chain, CRLs, etc. All this session setup work is farmed out to AT-TLS, and the application program sees only plain text at the socket interface. (Actually the app can get involved if it wants to - an app can be "aware" or "controlling" wrt AT-TLS, but most apps are oblivious and require no change.) The list of AT-TLS options is huge and hard to get a quick picture of, but you can look through the IP Configuration Reference in the Policy Agent and policy applications AT-TLS section to get an idea. For example the CertValidationMode keyword controls how certs are validated, and in another config section the OcspUrl keyword can point to an OCSP server. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
