× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. May 2015

RE: Confirming SSLv2 and SSLv3 usage, disabling

To all,

I was just informed that *TLSV1 no longer passes PCI compliancy and must be also be disabled.
Every one of my SSL connections is TLSV1.
Has anyone disabled TLSV1, only left TLSV1.1 and TLSV1.2 enabled?

Paul

From: Steinmetz, Paul
Sent: Tuesday, April 21, 2015 12:14 PM
To: 'AHoerle@xxxxxxxxxxxxx'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Amy,

My SSL traces that I ran ahead of time confirmed which ciphers were being used, etc, and which might break.

Our one app did fail after removing this cipher.
70 *RSA_RC4_128_SHA

Temporarily added it back in, app working.

Paul

From: AHoerle@xxxxxxxxxxxxx<mailto:AHoerle@xxxxxxxxxxxxx> [mailto:AHoerle@xxxxxxxxxxxxx]
Sent: Tuesday, April 21, 2015 9:16 AM
To: Steinmetz, Paul
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Hmm, my memory is not sure at the moment. I'm thinking I didn't have to bounce my Apache server, but I think I also had Apache config changes to make and ended out bouncing them for that.

If your server is public you can do what I did when making changes.... I made then change and then ran the Qualys SSL test against the server to see what it would like was changed and then kept going until I had exactly the results I wanted. I had to do a little DNS trickery to get it to scan (pointed root thinkbank.com to DR IP and then set load balancer to point at production and then changed DR until I was happy). That was the only way Qualys would scan both sites so I could compare my changes against the live config.

Hope that helps.

:)



Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901

507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx>



From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
To: "'AHoerle@xxxxxxxxxxxxx'" <AHoerle@xxxxxxxxxxxxx<mailto:AHoerle@xxxxxxxxxxxxx>>, "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 04/21/2015 08:07 AM
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
________________________________



Changing the SSL values below take effect immediately.
Question, if a process that uses SSL is constantly running, does it need to be recycled for the changes to take effect.

Paul

From: AHoerle@xxxxxxxxxxxxx<mailto:AHoerle@xxxxxxxxxxxxx> [mailto:AHoerle@xxxxxxxxxxxxx]
Sent: Tuesday, March 24, 2015 10:35 AM
To: Midrange Systems Technical Discussion
Cc: Steinmetz, Paul
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Paul,

Yes, you will want to change the QSSLCLS system value. Here's what I am using now on my 7.1 systems to eliminate SSLv3 and the reduce the number of allowed Ciphers for my servers:


System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list

Sequence Cipher
number Suite
0
10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA

System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher contro
Cipher control . . . . : *USRDFN *OPSYS, *USRDFN

System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols

Protocols
*TLSV1
*TLSV1.1
*TLSV1.2



Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901

507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx<mailto:ahoerle@xxxxxxxxxxxxx>



From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
To: "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 03/23/2015 10:51 AM
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>
________________________________




Jim,

System values.
Do I need to change QSSLCSL?
Normally, this is managed by IBM PTFs, correct?

QSSLCSL *SEC Secure sockets layer cipher specification list
QSSLCSLCTL *SEC Secure sockets layer cipher control
QSSLPCL *SEC Secure sockets layer protocols

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Oberholtzer
Sent: Monday, March 23, 2015 11:36 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

http://yourserveraddress:2001<https://urldefense.proofpoint.com/v2/url?u=http-3A__yourserveraddress-3A2001_&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=Z8h2qEgDmy-965DhthjZV0pDh43ulJj10jljBdiKo50&e=>

Make sure the *ADMIN http server is running .

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Monday, March 23, 2015 10:34 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Jim,

Where in admin?
Not finding anything browsing.

Paul


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Oberholtzer
Sent: Monday, March 23, 2015 11:17 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Easiest is *ADMIN server.

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Monday, March 23, 2015 10:16 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Confirming SSLv2 and SSLv3 usage, disabling

Rob,

I think so, but not sure.

Where do we look to see if configured?

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx<mailto:rob@xxxxxxxxx>
Sent: Monday, March 23, 2015 11:09 AM
To: Midrange Systems Technical Discussion
Subject: Re: Confirming SSLv2 and SSLv3 usage, disabling

Ok, maybe you found no usage, but that may not mean that you don't still have it configured? Is that the issue?


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.dekko.com_&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=pnpxMRzmGBKZ7wzmfjHP5QsdflG2zcP5hEmQCSyKBZ4&e=>





From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 03/23/2015 10:53 AM
Subject: Confirming SSLv2 and SSLv3 usage, disabling
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>



I was notified by our corporate security admin (via Nessus scan) that
SSLv2 and SSLv3 were still being used on the I and needed to be disabled.

20007
SSL Version 2
and 3 Protocol
Detection
Medium 10.5.2.5 TCP
21 No iSeries

I turned on the TRCINT per doc N1020594, left it run for 7 days, found no usage of SSLv2 or SSLv3, only *TLSV1.0
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594<https://urldefense.proofpoint.com/v2/url?u=http-3A__www-2D01.ibm.com_support_docview.wss-3Fuid-3Dnas8N1020594&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=G1C3MoJvr7CwVNR2NemaTmP2KcxSLMf2jS2Ul1Nzy9M&e=>
What am I missing here?
How and where do I confirm if SSLv2 or SSLv3 is still configured?
How do I disable?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.pencor.com_&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=uw0U4zObp19XyIHmHdFVRjeDp2hv73dwqL9GPJmk7tY&e=>







--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.midrange.com_mailman_listinfo_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=fNF5w_nYR3SWH7lHQH8X4VUOjcXcHuozCS5J2pYc3ik&e=>
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l<https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.midrange.com_midrange-2Dl&d=AwMFAg&c=DaPkNJGYNNktHGSdNDiRSuJps8lc-Exe9Vr56HNjLdo&r=ng241XBI9FXC-haNBIrAko3xV0UqlvloFdXpX3_bl1o&m=lm5ymRolkgGq-ZCiA2Kp2qsBd9vrtbqgWfEX6IOcN_s&s=qIa50vLdPDzUojNpByMVVg9tERHY4-z_pDVvpQCGCJo&e=>.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.