RE: Die 7.1 Die! Was: FW: gsk rc =415, GSK_ERROR_BAD_PEER woes

Yes, I've been thru all the stuff in that IBM support doc.
Our dev machine has QSSL* system values to enable all TLS versions and the SSLCONFIG has been set to allow all the ciphers that IBM support at V7R1.
So I guess nobody knows of any such thing as a "GSK trace".

Brad,
The urls are valocity.co.nz (this connects OK) and velocity-uat.co.nz (does not)
I believe they use a white list to reject unlicensed client connections but that should be after the handshake and that's where it's failing.


Regards, Peter

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rob Berendt
Sent: Thursday, 20 October 2016 2:07 AM
To: Midrange Systems Technical Discussion
Subject: Die 7.1 Die! Was: FW: gsk rc =415, GSK_ERROR_BAD_PEER woes

<snip>
see if it's not V7R1 that has the issues. From what I understand they're not updating SSL any more on V7R1 even though it's still supported and behind as far as the required updates that were made at the end of July for most SSL processes.
</snip>

Configuring Your IBM i System Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Protocols and Cipher Suites
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020876
Goes into detail on what PTF's you need (even at 7.1) and what Cipher Suites are considered "weak". We recently had internal, and external, scanning completed and had to go whole hog to purge these out.
Details on how to config this are in there.
Modified date: 2016-07-11

Now that I've added useful information I reserve the right to rant.
"IF" IBM is not enhancing 7.1 to new cipher suites and stuff they need to announce end of support. The sooner the better. Especially for those budgeting for next year.

Being purchased by a public company and having to go through SOX and being behind on cipher suites does not go well.



Rob Berendt