× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2016

Re: HTTPAPI failing -suspect TLS

On 26-Jul-2016 06:55 -0500, Bradley Stone wrote:

We had a customer with a similar issue on V7R1 with our GETURI
software. Here's a link to an article I wrote about it:

[http://www.fieldexit.com/forum/display?threadid=170]

In a nutshell, V7R1 didn't play nice with settings for the SSL APIs.
We had to update our software to specifically tell it which TLS
version to use.

The default setting for calling the SSL APIs was zero (0) which meant
"use the system value". That didn't work when the system was told to
use TLS v1/2. When we updated our application so the user could set
the version and use TLSv1 or v2, it worked fine.

You may want to post this on the HTTPAPI mailing list. It's possible
Scott has something similar in his software you can use. (Maybe
that's what those extra parms are for).

You may also want to look for a PTF that solves this issue. This was
a while ago and I'd hope they have fixed it (it is fixed in V7R2 and
up). Maybe a call to IBM would help.


Fourth attempt to send; this time replying to a reply that did finally take, instead of replying directly to the above quoted message. Plus munging lines that previously started with "From:"; that was probably the issue, as typically I would replace that with "Author:" if I remembered... and likely this reply will finaly go through. Makes me wonder how many other times my replies have been lost similarly with no indication except if, for my having looked.

The following web search yielded some links that might be related:
[https://www.google.com/search?q=INCORROUT+TLSv1+OR+TLSv2]

For example, the later\following ibm.com link to a V7R1 PTF may be of interest in that regard. Noting: the effect of the PTF SI57332 shown, is apparently predicated on the actions described having been performed prior; i.e. actions beyond simply applying the PTF are required.

And FWiW: A search on that PTF within midrange archives finds these two articles with the first perhaps a /presumed confirmation/ to that effect:

[http://archive.midrange.com/midrange-l/201507/msg00239.html]
≥Subject: Re: SSL client connection error - SSL_Handshake(): Peer not recognized or badly formatted message received.
≥From: Bradley Stone

[http://archive.midrange.com/midrange-l/201512/msg00623.html]
≥Subject: RE: Client Access, Access Client and certificates
≥From: "Steinmetz, Paul"

[www.ibm.com/support/docview.wss?uid=nas39d8f3c581309ec3886257e7e007eb678]
"SI57332 - OSP-COMM-SSL Allow TLSv1.2 in System SSL default
Abstract: OSP-COMM-SSL Allow TLSv1.2 in System SSL default
[…]
APAR Error Description / Circumvention
-----------------------------------------------
Customer is unable to get 3rd party application updated to support the TLSv1.2 protocol. The need exists to make applications coded to use the default protocol use TLSv1.2 at a system level to get around the 3rd party.

CORRECTION FOR APAR SE62307 :
-----------------------------
TLSv1.2 and TLSv1.1 can be added to the System SSL eligible default protocol list using System Service Tools (SST) Advanced Analysis Command SSLCONFIG.

The intersection of the System SSL eligible default protocol list and the QSSLPCL system value list of enabled protocols determines the System SSL default protocol list used by applications.

For applications using the deprecated SSL_ interface, this value indicates the application is using the system default protocol list:
SSL_VERSION_CURRENT set on either the SSL_Init_Application() or SSL_Handshake() API.

For GSKit, when TLSv1.2 is added to the System SSL eligible default protocol list, TLSv1.2 will be supported for the application as long as gsk_attribute_set_enum() has not been called with GSK_PROTOCOL_TLSV1_OFF as the value.

To change the System SSL System SSL eligible default protocol list with the Start System Service Tools (STRSST) command, follow these steps:

1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h

This will show the help screen that describes the input strings to change the System SSL setting for -eligibleDefaultProtocols

CIRCUMVENTION FOR APAR SE62307 :
--------------------------------
Change the application code to request TLSv1.2 explicitly.
[…]
Cumulative Level C5317710"


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.