MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » April 2014

Turing on TLS 1.2



fixed

With all the recent discussions on SSL due to the OpenSSL bug and the process to verify our iSeries was not affected by this, we had one scanning site make a strong recommendation to enable TLS 1.2 support. I know that as of V7.1 IBM did add TLS 1.2 support and found reference to how to enable it. In looking at our system I noticed that system value QSSLCLSCTL is set to *USRFDN and I do not know how long it has been that way. It may have been from before we upgraded from V5R4 to V7.1, which if I read IBM docs correctly, means the Cipher list in QSSLCSL would not get automatically updated on an upgrade and just adding TLS 1.1 and TLS 1.2 support on QSSLPCL would not add to the Cipher list automatically.

So beings be to two questions before I fully enable TLS 1.2.

1) Has anyone else done this and if so, were there any gotchas to be aware of?

2) Is this the complete list of all current Cipher's that should be defined?

a. *RSA_RC4_128_SHA

b. *RSA_AES_128_CBC_SHA

c. *RSA_RC4_128_MD5

d. *RSA_AES_256_CBC_SHA

e. *RSA_3DES_EDE_CBC_SHA

f. *RSA_DES_CBC_SHA

g. *RSA_EXPORT_RC4_40_MD5

h. *RSA_EXPORT_RC2_CBC_40_MD5

i. *RSA_NULL_SHA

j. *RSA_NULL_MD5

Some of my reference links
http://www.itjungle.com/bns/bns020613-story01.html
http://ibmsystemsmag.blogs.com/i_can/2013/02/new-system-ssl-support.html
https://www.ibm.com/developerworks/ibmi/library/i-system-ssl-ibmi/index.html

Thanks

Mike Cunningham
Pennsylvania College of Technology







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact