Turing on TLS 1.2

With all the recent discussions on SSL due to the OpenSSL bug and the process to verify our iSeries was not affected by this, we had one scanning site make a strong recommendation to enable TLS 1.2 support. I know that as of V7.1 IBM did add TLS 1.2 support and found reference to how to enable it. In looking at our system I noticed that system value QSSLCLSCTL is set to *USRFDN and I do not know how long it has been that way. It may have been from before we upgraded from V5R4 to V7.1, which if I read IBM docs correctly, means the Cipher list in QSSLCSL would not get automatically updated on an upgrade and just adding TLS 1.1 and TLS 1.2 support on QSSLPCL would not add to the Cipher list automatically.

So beings be to two questions before I fully enable TLS 1.2.

1) Has anyone else done this and if so, were there any gotchas to be aware of?

2) Is this the complete list of all current Cipher's that should be defined?

a. *RSA_RC4_128_SHA

b. *RSA_AES_128_CBC_SHA

c. *RSA_RC4_128_MD5

d. *RSA_AES_256_CBC_SHA

e. *RSA_3DES_EDE_CBC_SHA

f. *RSA_DES_CBC_SHA

g. *RSA_EXPORT_RC4_40_MD5

h. *RSA_EXPORT_RC2_CBC_40_MD5

i. *RSA_NULL_SHA

j. *RSA_NULL_MD5

Some of my reference links
http://www.itjungle.com/bns/bns020613-story01.html
http://ibmsystemsmag.blogs.com/i_can/2013/02/new-system-ssl-support.html
https://www.ibm.com/developerworks/ibmi/library/i-system-ssl-ibmi/index.html

Thanks

Mike Cunningham
Pennsylvania College of Technology