|
Any,
Isn't the QSSLCSL system value maintained by PTFs?
Below are my current system values.
System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5
System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher control
Cipher control . . . . : *OPSYS *OPSYS, *USRDFN
System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*OPSYS
Paul
From: AHoerle@xxxxxxxxxxxxx<mailto:AHoerle@xxxxxxxxxxxxx> [mailto:AHoerle@xxxxxxxxxxxxx]
Sent: Tuesday, March 24, 2015 10:35 AM
To: Midrange Systems Technical Discussion
Cc: Steinmetz, Paul
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Paul,
Yes, you will want to change the QSSLCLS system value. Here's what I
am using now on my 7.1 systems to eliminate SSLv3 and the reduce the
number of allowed Ciphers for my servers:
System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher contro
Cipher control . . . . : *USRDFN *OPSYS, *USRDFN
System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*TLSV1
*TLSV1.1
*TLSV1.2
Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901
507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx%3cmailto:ahoerle@xxxxxxxxxxxxx>>
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:
PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>>
To: "'Midrange Systems Technical Discussion'" <
midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx%3cmailto:midrange-l@xxxxxxxxxxxx>>>
Date: 03/23/2015 10:51 AM
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:
midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>>
________________________________
Jim,
System values.
Do I need to change QSSLCSL?
Normally, this is managed by IBM PTFs, correct?
QSSLCSL *SEC Secure sockets layer cipher specification list
QSSLCSLCTL *SEC Secure sockets layer cipher control
QSSLPCL *SEC Secure sockets layer protocols
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jim Oberholtzer
Sent: Monday, March 23, 2015 11:36 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
http://yourserveraddress:2001<http://yourserveraddress:2001/<http://yourserveraddress:2001%3chttp:/yourserveraddress:2001/>>
Make sure the *ADMIN http server is running .
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Steinmetz, Paul
Sent: Monday, March 23, 2015 10:34 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Jim,
Where in admin?
Not finding anything browsing.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jim Oberholtzer
Sent: Monday, March 23, 2015 11:17 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Easiest is *ADMIN server.
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Steinmetz, Paul
Sent: Monday, March 23, 2015 10:16 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Rob,
I think so, but not sure.
Where do we look to see if configured?
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
rob@xxxxxxxxx<mailto:rob@xxxxxxxxx<mailto:rob@xxxxxxxxx%3cmailto:rob@xxxxxxxxx>>
Sent: Monday, March 23, 2015 11:09 AM
To: Midrange Systems Technical Discussion
Subject: Re: Confirming SSLv2 and SSLv3 usage, disabling
Ok, maybe you found no usage, but that may not mean that you don't
still have it configured? Is that the issue?
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com<http://www.dekko.com/<http://www.dekko.com%3chttp:/www.dekko.com/>>
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:
PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx%3cmailto:midrange-l@xxxxxxxxxxxx>>>
Date: 03/23/2015 10:53 AM
Subject: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:
midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>>
I was notified by our corporate security admin (via Nessus scan) that
SSLv2 and SSLv3 were still being used on the I and needed to be disabled.
20007
SSL Version 2
and 3 Protocol
Detection
Medium 10.5.2.5 TCP
21 No iSeries
I turned on the TRCINT per doc N1020594, left it run for 7 days, found
no usage of SSLv2 or SSLv3, only *TLSV1.0
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594
What am I missing here?
How and where do I confirm if SSLv2 or SSLv3 is still configured?
How do I disable?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx%3cmailto:psteinmetz@xxxxxxxxxx>>
http://www.pencor.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>> Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>>
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>>
Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.