×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
On 24-Mar-2015 09:44 -0500, Steinmetz, Paul wrote:
On Tuesday, March 24, 2015 10:35 AM AHoerle wrote:
Yes, you will want to change the QSSLCLS system value. Here's what
I am using now on my 7.1 systems to eliminate SSLv3 and the reduce
the number of allowed Ciphers for my servers:
System value: QSSLCSL
Description: Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher control
Cipher control . . . . : *USRDFN *OPSYS, *USRDFN
System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*TLSV1
*TLSV1.1
*TLSV1.2
Isn't the QSSLCSL system value maintained by PTFs?
Below are my current system values.
System value: QSSLCSL
Description: Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5
System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher control
Cipher control . . . . : *OPSYS *OPSYS, *USRDFN
System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*OPSYS
The /control/ of the value(s) for the System Value QSSLCSL is
*either* the OS or the User; while the control is in the domain of the
OS, the System Value QSSLCSL is _read-only_. The Secure Sockets Layer
Cipher Specification List Control (QSSLCSLCTL) System Value allows
overriding the OS-controlled list of "Cipher Suite" values [defined by
the Secure Sockets Layer Cipher Specification List (QSSLCSL) System
Value] with a User-controlled list [thus making the System Value QSSLCSL
change-capable rather than read-only], per the specification of *USRDFN
that denotes the /control/ is User-Defined (*USRDFN) instead of
System-Defined (*OPSYS).
<
http://www.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_71/rzakz/rzakzqsslcslctl.htm>
_Security system values: Secure Sockets Layer cipher control_
"The Secure Sockets Layer cipher control system value is also known as
QSSLCSLCTL. You can use this system value to specify whether the system
or a user controls the Secure Sockets Layer cipher specification list
(QSSLCSL) system value.
...
_Use system-defined_ (*OPSYS)
• The Secure Sockets Layer cipher specification list (QSSLCSL)
system value is read-only. Its values are automatically modified to
contain the list of cipher suites supported by the System SSL. If you
use this option, the QSSLCSL system value is automatically updated with
new cipher suite capabilities when you install or upgrade to a future
release of the operating system.
_Use user-defined_ (*USRDFN)
• The QSSLCSL system value is editable. If you use this option,
additional cipher suite capabilities are not added automatically when
you move to a future release of the operating system. You have to
determine if any new cipher suites are available and manually add the
new cipher suites to the QSSLCSL system value if you want the System SSL
to support them. "
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
