To all,
I was just informed that *TLSV1 no longer passes PCI compliancy and must be also be disabled.
Every one of my SSL connections is TLSV1.
Has anyone disabled TLSV1, only left TLSV1.1 and TLSV1.2 enabled?
Paul
From: Steinmetz, Paul
Sent: Tuesday, April 21, 2015 12:14 PM
To: 'AHoerle@xxxxxxxxxxxxx'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Amy,
My SSL traces that I ran ahead of time confirmed which ciphers were being used, etc, and which might break.
Our one app did fail after removing this cipher.
70 *RSA_RC4_128_SHA
Temporarily added it back in, app working.
Paul
From: AHoerle@xxxxxxxxxxxxx<mailto:AHoerle@xxxxxxxxxxxxx> [mailto:AHoerle@xxxxxxxxxxxxx]
Sent: Tuesday, April 21, 2015 9:16 AM
To: Steinmetz, Paul
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Hmm, my memory is not sure at the moment. I'm thinking I didn't have to bounce my Apache server, but I think I also had Apache config changes to make and ended out bouncing them for that.
If your server is public you can do what I did when making changes.... I made then change and then ran the Qualys SSL test against the server to see what it would like was changed and then kept going until I had exactly the results I wanted. I had to do a little DNS trickery to get it to scan (pointed root thinkbank.com to DR IP and then set load balancer to point at production and then changed DR until I was happy). That was the only way Qualys would scan both sites so I could compare my changes against the live config.
Hope that helps.
:)
Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901
507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx>
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
To: "'AHoerle@xxxxxxxxxxxxx'" <AHoerle@xxxxxxxxxxxxx<mailto:AHoerle@xxxxxxxxxxxxx>>, "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 04/21/2015 08:07 AM
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
________________________________
Changing the SSL values below take effect immediately.
Question, if a process that uses SSL is constantly running, does it need to be recycled for the changes to take effect.
Paul
From: AHoerle@xxxxxxxxxxxxx<mailto:AHoerle@xxxxxxxxxxxxx> [mailto:AHoerle@xxxxxxxxxxxxx]
Sent: Tuesday, March 24, 2015 10:35 AM
To: Midrange Systems Technical Discussion
Cc: Steinmetz, Paul
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Paul,
Yes, you will want to change the QSSLCLS system value. Here's what I am using now on my 7.1 systems to eliminate SSLv3 and the reduce the number of allowed Ciphers for my servers:
System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher contro
Cipher control . . . . : *USRDFN *OPSYS, *USRDFN
System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*TLSV1
*TLSV1.1
*TLSV1.2
Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901
507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx>
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
To: "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 03/23/2015 10:51 AM
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>
________________________________
Jim,
System values.
Do I need to change QSSLCSL?
Normally, this is managed by IBM PTFs, correct?
QSSLCSL *SEC Secure sockets layer cipher specification list
QSSLCSLCTL *SEC Secure sockets layer cipher control
QSSLPCL *SEC Secure sockets layer protocols
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Oberholtzer
Sent: Monday, March 23, 2015 11:36 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
http://yourserveraddress:2001<
https://urldefense.proofpoint.com/v2/url?u=http-3A__yourserveraddress-3A2001_&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=Z8h2qEgDmy-965DhthjZV0pDh43ulJj10jljBdiKo50&e=>
Make sure the *ADMIN http server is running .
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Monday, March 23, 2015 10:34 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Jim,
Where in admin?
Not finding anything browsing.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Oberholtzer
Sent: Monday, March 23, 2015 11:17 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Easiest is *ADMIN server.
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Monday, March 23, 2015 10:16 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Rob,
I think so, but not sure.
Where do we look to see if configured?
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx<mailto:rob@xxxxxxxxx>
Sent: Monday, March 23, 2015 11:09 AM
To: Midrange Systems Technical Discussion
Subject: Re: Confirming SSLv2 and SSLv3 usage, disabling
Ok, maybe you found no usage, but that may not mean that you don't still have it configured? Is that the issue?
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com<
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.dekko.com_&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=pnpxMRzmGBKZ7wzmfjHP5QsdflG2zcP5hEmQCSyKBZ4&e=>
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 03/23/2015 10:53 AM
Subject: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>
I was notified by our corporate security admin (via Nessus scan) that
SSLv2 and SSLv3 were still being used on the I and needed to be disabled.
20007
SSL Version 2
and 3 Protocol
Detection
Medium 10.5.2.5 TCP
21 No iSeries
I turned on the TRCINT per doc N1020594, left it run for 7 days, found no usage of SSLv2 or SSLv3, only *TLSV1.0
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594<
https://urldefense.proofpoint.com/v2/url?u=http-3A__www-2D01.ibm.com_support_docview.wss-3Fuid-3Dnas8N1020594&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=G1C3MoJvr7CwVNR2NemaTmP2KcxSLMf2jS2Ul1Nzy9M&e=>
What am I missing here?
How and where do I confirm if SSLv2 or SSLv3 is still configured?
How do I disable?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/<
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.pencor.com_&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=uw0U4zObp19XyIHmHdFVRjeDp2hv73dwqL9GPJmk7tY&e=>
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l<
https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.
As an Amazon Associate we earn from qualifying purchases.