Any,
Isn't the QSSLCSL system value maintained by PTFs?
Below are my current system values.
System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5
System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher control
Cipher control . . . . : *OPSYS *OPSYS, *USRDFN
System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*OPSYS
Paul
From: AHoerle@xxxxxxxxxxxxx [mailto:AHoerle@xxxxxxxxxxxxx]
Sent: Tuesday, March 24, 2015 10:35 AM
To: Midrange Systems Technical Discussion
Cc: Steinmetz, Paul
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Paul,
Yes, you will want to change the QSSLCLS system value. Here's what I am using now on my 7.1 systems to eliminate SSLv3 and the reduce the number of allowed Ciphers for my servers:
System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher contro
Cipher control . . . . : *USRDFN *OPSYS, *USRDFN
System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*TLSV1
*TLSV1.1
*TLSV1.2
Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901
507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx>
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
To: "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 03/23/2015 10:51 AM
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>
________________________________
Jim,
System values.
Do I need to change QSSLCSL?
Normally, this is managed by IBM PTFs, correct?
QSSLCSL *SEC Secure sockets layer cipher specification list
QSSLCSLCTL *SEC Secure sockets layer cipher control
QSSLPCL *SEC Secure sockets layer protocols
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Oberholtzer
Sent: Monday, March 23, 2015 11:36 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
http://yourserveraddress:2001<
http://yourserveraddress:2001/>
Make sure the *ADMIN http server is running .
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Monday, March 23, 2015 10:34 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Jim,
Where in admin?
Not finding anything browsing.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Oberholtzer
Sent: Monday, March 23, 2015 11:17 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Easiest is *ADMIN server.
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Monday, March 23, 2015 10:16 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Rob,
I think so, but not sure.
Where do we look to see if configured?
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx<mailto:rob@xxxxxxxxx>
Sent: Monday, March 23, 2015 11:09 AM
To: Midrange Systems Technical Discussion
Subject: Re: Confirming SSLv2 and SSLv3 usage, disabling
Ok, maybe you found no usage, but that may not mean that you don't still have it configured? Is that the issue?
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com<
http://www.dekko.com/>
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 03/23/2015 10:53 AM
Subject: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>
I was notified by our corporate security admin (via Nessus scan) that
SSLv2 and SSLv3 were still being used on the I and needed to be disabled.
20007
SSL Version 2
and 3 Protocol
Detection
Medium 10.5.2.5 TCP
21 No iSeries
I turned on the TRCINT per doc N1020594, left it run for 7 days, found no usage of SSLv2 or SSLv3, only *TLSV1.0
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594
What am I missing here?
How and where do I confirm if SSLv2 or SSLv3 is still configured?
How do I disable?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.