× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2015

RE: Confirming SSLv2 and SSLv3 usage, disabling


IBM's tool will show not only SSL protocol used, but also the cipher used.

You can see the first highlight is the SSL version followed by the cipher suite that was negotiated with this connection.

How to determine the SSL protocol and cipher suite used for each System SSL connection to the IBM i

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594

#2 ( 7) +0000 E3D3E2E5F14BF0 *TLSV1.0
#3 ( 24) +0000 E3D3E26DD9E2C16D E6C9E3C86DD9C3F4 6DF1F2F86DE2C8C1 *TLS_RSA_WITH_RC4_128_SHA

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Tuesday, March 24, 2015 3:06 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

1) Backing up a bit in this thread.



I found that QSSLPCL *OPSYS definitions by release are:



IBM i 7.2 -- *TLSV1.2 *TLSV1.1 *TLSV1

IBM i 7.1 -- *TLSV1 *SSLV3



For V7R1 If I change QSSLPCL from *OPSYS to

Protocols

*TLSV1

*TLSV1.1

*TLSV1.2



This should meet my requirement for disabling both SSLv2 and SSLv3.

Does the order in which the're listed matter?

If I were at V7R2, no changes necessary, system defaults would work, correct?



2) Removing the old unsupported cyphers I believe will be a separate issue/change, is this correct?

How does one determine which cipher(s) should be removed from QSSLCSL?



The following table shows the cipher specifications that are supported for each protocol version. The supported cipher specifications for each protocol are indicated by the "X" in the appropriate column.



Here's both the V7R1 and V7R2 links in case the table formatting was lost.

V7R2 added 16 additional ciphers.

I wasn't able to copy/paste from the V7R2 info center.



http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzain/rzainciphers.htm?cp=ssw_ibm_i_71

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzain/rzainciphers.htm



http://www.ibmsystemsmag.com/ibmi/administrator/networks/i72-ssl-enhancements/?page=2





V7R1




Table 1. Supported Cipher Specifications for TLS and SSL Protocols

QSSLCSL System Value Representation

TLSv1.2

TLSv1.1

TLSv1.0

SSLv3

SSLv2

*RSA_AES_256_CBC_SHA256

X









*RSA_AES_128_CBC_SHA256

X









*RSA_AES_256_CBC_SHA

X

X

X





*RSA_AES_128_CBC_SHA

X

X

X





*RSA_3DES_EDE_CBC_SHA

X

X

X

X



*RSA_RC4_128_SHA

X

X

X

X



*RSA_RC4_128_MD5

X

X

X

X

X

*RSA_DES_CBC_SHA



X

X

X



*RSA_EXPORT_RC4_40_MD5





X

X

X

*RSA_EXPORT_RC2_CBC_40_MD5





X

X

X

*RSA_NULL_SHA256

X









*RSA_NULL_SHA

X

X

X

X



*RSA_NULL_MD5

X

X

X

X



*RSA_RC2_CBC_128_MD5









X

*RSA_3DES_EDE_CBC_MD5









X

*RSA_DES_CBC_MD5









X






Paul





-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Tuesday, March 24, 2015 12:05 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling



Is there anyway of confirming if the below ciphers that need to be deleted are still being used?



20 *RSA_RC4_128_SHA

30 *RSA_RC4_128_MD5

70 *RSA_EXPORT_RC4_40_MD5

80 *RSA_EXPORT_RC2_CBC_40_MD5

90 *RSA_NULL_SHA

100 *RSA_NULL_MD5



Paul



-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Roberto José Etcheverry Romero

Sent: Tuesday, March 24, 2015 10:54 AM

To: Midrange Systems Technical Discussion

Subject: Re: Confirming SSLv2 and SSLv3 usage, disabling



Paul,



According to that list you have some deprecated ciphers allowed. the 40 bit

RC2 and RC4 have been deprecated IIRC. At least Firefox disabled support for those in recent updates...



On Tue, Mar 24, 2015 at 11:44 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>

wrote:



Any,



Isn't the QSSLCSL system value maintained by PTFs?





Below are my current system values.

System value . . . . . : QSSLCSL

Description . . . . . : Secure sockets layer cipher specification list





Sequence Cipher

number Suite

0

10 *RSA_AES_128_CBC_SHA

20 *RSA_RC4_128_SHA

30 *RSA_RC4_128_MD5

40 *RSA_AES_256_CBC_SHA

50 *RSA_3DES_EDE_CBC_SHA

60 *RSA_DES_CBC_SHA

70 *RSA_EXPORT_RC4_40_MD5

80 *RSA_EXPORT_RC2_CBC_40_MD5

90 *RSA_NULL_SHA

100 *RSA_NULL_MD5



System value . . . . . : QSSLCSLCTL

Description . . . . . : Secure sockets layer cipher control





Cipher control . . . . : *OPSYS *OPSYS, *USRDFN



System value . . . . . : QSSLPCL

Description . . . . . : Secure sockets layer protocols





Protocols

*OPSYS



Paul





From: AHoerle@xxxxxxxxxxxxx<mailto:AHoerle@xxxxxxxxxxxxx>
[mailto:AHoerle@xxxxxxxxxxxxx]

Sent: Tuesday, March 24, 2015 10:35 AM

To: Midrange Systems Technical Discussion

Cc: Steinmetz, Paul

Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling



Paul,



Yes, you will want to change the QSSLCLS system value. Here's what I

am using now on my 7.1 systems to eliminate SSLv3 and the reduce the

number of allowed Ciphers for my servers:





System value . . . . . : QSSLCSL

Description . . . . . : Secure sockets layer cipher specification list



Sequence Cipher

number Suite

0

10 *RSA_AES_256_CBC_SHA256

20 *RSA_AES_128_CBC_SHA256

30 *RSA_AES_128_CBC_SHA

40 *RSA_AES_256_CBC_SHA

50 *RSA_3DES_EDE_CBC_SHA

60 *RSA_DES_CBC_SHA



System value . . . . . : QSSLCSLCTL

Description . . . . . : Secure sockets layer cipher contro

Cipher control . . . . : *USRDFN *OPSYS, *USRDFN



System value . . . . . : QSSLPCL

Description . . . . . : Secure sockets layer protocols



Protocols

*TLSV1

*TLSV1.1

*TLSV1.2







Amy Hoerle

System Administrator

Think Mutual Bank

5200 Members Pkwy NW, Box 5949

Rochester, MN 55901



507-536-5815 or

800-288-3425 Ext 5815

ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@thin
kbank.com%3cmailto:ahoerle@xxxxxxxxxxxxx>>







From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:

PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>>

To: "'Midrange Systems Technical Discussion'" <

midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx<mailto:midrange
-l@xxxxxxxxxxxx%3cmailto:midrange-l@xxxxxxxxxxxx>>>

Date: 03/23/2015 10:51 AM

Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:

midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx


________________________________







Jim,



System values.

Do I need to change QSSLCSL?

Normally, this is managed by IBM PTFs, correct?



QSSLCSL *SEC Secure sockets layer cipher specification list

QSSLCSLCTL *SEC Secure sockets layer cipher control

QSSLPCL *SEC Secure sockets layer protocols



Paul



-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of

Jim Oberholtzer

Sent: Monday, March 23, 2015 11:36 AM

To: 'Midrange Systems Technical Discussion'

Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling



http://yourserveraddress:2001<http://yourserveraddress:2001/<http://yo
urserveraddress:2001%3chttp:/yourserveraddress:2001/>>



Make sure the *ADMIN http server is running .



--

Jim Oberholtzer

Chief Technical Architect

Agile Technology Architects





-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of

Steinmetz, Paul

Sent: Monday, March 23, 2015 10:34 AM

To: 'Midrange Systems Technical Discussion'

Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling



Jim,



Where in admin?

Not finding anything browsing.



Paul





-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of

Jim Oberholtzer

Sent: Monday, March 23, 2015 11:17 AM

To: 'Midrange Systems Technical Discussion'

Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling



Easiest is *ADMIN server.



--

Jim Oberholtzer

Chief Technical Architect

Agile Technology Architects





-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of

Steinmetz, Paul

Sent: Monday, March 23, 2015 10:16 AM

To: 'Midrange Systems Technical Discussion'

Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling



Rob,



I think so, but not sure.



Where do we look to see if configured?



Paul



-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of

rob@xxxxxxxxx<mailto:rob@xxxxxxxxx<mailto:rob@xxxxxxxxx%3cmailto:rob@d
ekko.com>>

Sent: Monday, March 23, 2015 11:09 AM

To: Midrange Systems Technical Discussion

Subject: Re: Confirming SSLv2 and SSLv3 usage, disabling



Ok, maybe you found no usage, but that may not mean that you don't

still have it configured? Is that the issue?





Rob Berendt

--

IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600

Mail

to: 2505 Dekko Drive

Garrett, IN 46738

Ship to: Dock 108

6928N 400E

Kendallville, IN 46755

http://www.dekko.com<http://www.dekko.com/<http://www.dekko.com%3chttp
:/www.dekko.com/>>











From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:

PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>>

To: "'Midrange Systems Technical Discussion'"

<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx<mailto:midrang
e-l@xxxxxxxxxxxx%3cmailto:midrange-l@xxxxxxxxxxxx>>>

Date: 03/23/2015 10:53 AM

Subject: Confirming SSLv2 and SSLv3 usage, disabling

Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:

midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx








I was notified by our corporate security admin (via Nessus scan) that

SSLv2 and SSLv3 were still being used on the I and needed to be disabled.



20007

SSL Version 2

and 3 Protocol

Detection

Medium 10.5.2.5 TCP

21 No iSeries



I turned on the TRCINT per doc N1020594, left it run for 7 days, found

no usage of SSLv2 or SSLv3, only *TLSV1.0

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594

What am I missing here?

How and where do I confirm if SSLv2 or SSLv3 is still configured?

How do I disable?

Thank You

_____

Paul Steinmetz

IBM i Systems Administrator



Pencor Services, Inc.

462 Delaware Ave

Palmerton Pa 18071



610-826-9117 work

610-826-9188 fax

610-349-0913 cell

610-377-6012 home



psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx<mailto:psteinmetz@p
encor.com%3cmailto:psteinmetz@xxxxxxxxxx>>

http://www.pencor.com/















--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe,
unsubscribe, or change list

options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment

to review the archives at http://archive.midrange.com/midrange-l.







--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe,
unsubscribe, or change list

options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment

to review the archives at http://archive.midrange.com/midrange-l.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe,
unsubscribe, or change list

options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment

to review the archives at http://archive.midrange.com/midrange-l.





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe,
unsubscribe, or change list

options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment

to review the archives at http://archive.midrange.com/midrange-l.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe,
unsubscribe, or change list

options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment

to review the archives at http://archive.midrange.com/midrange-l.





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>> To subscribe,
unsubscribe, or change list

options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment

to review the archives at http://archive.midrange.com/midrange-l.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>>

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto<mailto:MIDRANGE-L-request@xxxxxxxxxxxx%3cmailto>:

MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx


Before posting, please take a moment to review the archives at

http://archive.midrange.com/midrange-l.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take

a moment to review the archives at

http://archive.midrange.com/midrange-l.





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.