RE: Confirming SSLv2 and SSLv3 usage, disabling -- MIDRANGE-L

Is there anyway of confirming if the below ciphers that need to be deleted are still being used?

20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Roberto José Etcheverry Romero
Sent: Tuesday, March 24, 2015 10:54 AM
To: Midrange Systems Technical Discussion
Subject: Re: Confirming SSLv2 and SSLv3 usage, disabling

Paul,

According to that list you have some deprecated ciphers allowed. the 40 bit
RC2 and RC4 have been deprecated IIRC. At least Firefox disabled support for those in recent updates...

On Tue, Mar 24, 2015 at 11:44 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
wrote:

Any,

Isn't the QSSLCSL system value maintained by PTFs?

Below are my current system values.
System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list

Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5

System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher control

Cipher control . . . . : *OPSYS *OPSYS, *USRDFN

System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols

Protocols
*OPSYS

Paul

From: AHoerle@xxxxxxxxxxxxx [mailto:AHoerle@xxxxxxxxxxxxx]
Sent: Tuesday, March 24, 2015 10:35 AM
To: Midrange Systems Technical Discussion
Cc: Steinmetz, Paul
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Paul,

Yes, you will want to change the QSSLCLS system value. Here's what I
am using now on my 7.1 systems to eliminate SSLv3 and the reduce the
number of allowed Ciphers for my servers:

System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list

Sequence Cipher
number Suite
0
10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA

System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher contro
Cipher control . . . . : *USRDFN *OPSYS, *USRDFN

System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols

Protocols
*TLSV1
*TLSV1.1
*TLSV1.2

Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901

507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx>

From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:
PSteinmetz@xxxxxxxxxx>>
To: "'Midrange Systems Technical Discussion'" <
midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 03/23/2015 10:51 AM
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:
midrange-l-bounces@xxxxxxxxxxxx>>
________________________________

Jim,

System values.
Do I need to change QSSLCSL?
Normally, this is managed by IBM PTFs, correct?

QSSLCSL *SEC Secure sockets layer cipher specification list
QSSLCSLCTL *SEC Secure sockets layer cipher control
QSSLPCL *SEC Secure sockets layer protocols

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jim Oberholtzer
Sent: Monday, March 23, 2015 11:36 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

http://yourserveraddress:2001<http://yourserveraddress:2001/>

Make sure the *ADMIN http server is running .

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Steinmetz, Paul
Sent: Monday, March 23, 2015 10:34 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Jim,

Where in admin?
Not finding anything browsing.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jim Oberholtzer
Sent: Monday, March 23, 2015 11:17 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Easiest is *ADMIN server.

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Steinmetz, Paul
Sent: Monday, March 23, 2015 10:16 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Rob,

I think so, but not sure.

Where do we look to see if configured?

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
rob@xxxxxxxxx<mailto:rob@xxxxxxxxx>
Sent: Monday, March 23, 2015 11:09 AM
To: Midrange Systems Technical Discussion
Subject: Re: Confirming SSLv2 and SSLv3 usage, disabling

Ok, maybe you found no usage, but that may not mean that you don't
still have it configured? Is that the issue?

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com<http://www.dekko.com/>

From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:
PSteinmetz@xxxxxxxxxx>>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 03/23/2015 10:53 AM
Subject: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:
midrange-l-bounces@xxxxxxxxxxxx>>

I was notified by our corporate security admin (via Nessus scan) that
SSLv2 and SSLv3 were still being used on the I and needed to be disabled.

20007
SSL Version 2
and 3 Protocol
Detection
Medium 10.5.2.5 TCP
21 No iSeries

I turned on the TRCINT per doc N1020594, left it run for 7 days, found
no usage of SSLv2 or SSLv3, only *TLSV1.0
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594
What am I missing here?
How and where do I confirm if SSLv2 or SSLv3 is still configured?
How do I disable?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:
MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:
MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:
MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:
MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:
MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:
MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:
MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.