|
Tim,Not necessarily. If they already support one of your preferred algorithms then all will be ok.
I want to understand this better.
I changed the iSeries SSL settings, raised the standards.
The remote server would also need the similar changes completed to stay compatible.
And this could all be outside of the application, at the OS level, whether it be Win or Linux.Again not necessarily. It depends on whether the programmer hard wired the cipher suite list or used some other method.
So if the remote/client SSL cipher list had only one available, and it was *RSA_RC4_128_SHA, that would result in a failure.Yes.
So at this point, I need someone to confirm the remote/client SSL settings, (both SSL version and/or cipher list)Are you the server or the client? If you're connecting to a server then there are lots of tools you can use to connect and show the supported ciphers. Here's one that works for http:
Is this correct?
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Tim Bronski
Sent: Wednesday, April 22, 2015 11:01 AM
To: Midrange Systems Technical Discussion
Subject: Re: SSL ciphers
TLS/SSL works by negotiating a preferred common cipher. The server offers up its list in order of preference and the client has its. The highest matching cipher is picked. If you've removed one and it no longer works then the client and server have no common supported ciphers. You'll need to compare.
On 4/22/2015 4:35 PM, Steinmetz, Paul wrote:
[21 11:46:59.550] ERROR MSMASYNC: msm_listener: 21: -->--
+ failed to gsk_secure_soc_init on 8504, rc=402 error=No compatible
+ cipher suite available between SSL end points., rejecting this
+ non-SSL connection
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Steve Hinrichs
Sent: Wednesday, April 22, 2015 10:34 AM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: SSL ciphers
Paul,
I control it when creating the server socket. I remove the usage of lower level ciphers, including the one you mention. Is it possible that whatever the application is connecting to needs/uses certain ciphers? What is the exact error?
Steve
I removed cipher *RSA_RC4_128_SHA, which caused one of our apps to break, R&D only.Confidentiality Notice: This email, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this email is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message and delete this email immediately.
I was told that most likely a different cipher would be used, but not the case.
What controls which SSL cipher is used.
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
Need secure FTP? Download your native sFTP solution here:
www.arpeggiosoftware.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.