Don't look server side. Problem is more likely in the browser. Early versions of IE did not enable TLS 1.1 and 1.2 by default. You have to turn them on. In some versions of IE turning on 1.1 and 1.2 and turning off 1.0 does not make a connection but turning off 1.2 and turning 1.0 back on makes 1.1 work. I am using Chrome 47 and can connect TLS 1.2 to my iSeries
Check here to find the browser you need
https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers
Notice that IE is also dependent on the OS
Do you happen to use a Verisign certificate on your iSeries? We discovered recently, with a lot of help from IBM, that a root certificate from verisign was causing a problem with Client Access connecting SSL (telnet SSL worked but the rest of Client Access would not work SSL). When we put a newer root certificate on it broke older versions of Client Access telnet SSL. Working now to get those systems current.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of David Dunnion
Sent: Friday, January 22, 2016 11:53 AM
To: midrange-l@xxxxxxxxxxxx
Subject: TLS 1.2 on 7.1 - cipher suite mismatch issues
Hi,
I have TLS 1.2 enabled for my HTTP server but it's only working for certain browsers, IE 11 & Edge and some older browser versions. In Chrome I get the error "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" and Firefox gives the error "ssl_error_protocol_version_alert" and the site doesn't load.
In my test HTTP config file I have set my cipher suite list like below which matches the only cipher suites I have on my system (7.1, TR7) that Chrome
supports:
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA
But I still can't get a connection. Using www.ssllabs.com/ssltest/ I have checked some other sites which work fine for TLS 1.2 using the AES_128_CBC cipher. The only difference being those sites also have the more modern ECDHE cipher suites listed too even though they are not used for the connection. I can't go to 7.2 with this box for a long time.
Has anyone come across this problem before on 7.1?
Thanks,
David
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
As an Amazon Associate we earn from qualifying purchases.