RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2 -- MIDRANGE-L

Brad,

Yes, I changed system value QSSLPCL, deleted *TLSV1
V7R1, all PTFs current.

Client Access returning this error.
CWB01024 - SSL error, function returned 25406, x.x.x.x

25406 - An IO error occurred on a data read or write.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Tuesday, June 02, 2015 10:28 AM
To: Midrange Systems Technical Discussion
Subject: Re: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2

Are you referring to changing the system values on your IBM i to only use TLS v1.1 and 1.2?

I would think by now that Client Access would be updated to work with this. It sounds like you can set your IBM i to use the right versions of TLS but the clients that connect to it don't have the ability yet.

It may also mess up any client appcliations on the IBM i that connect via SSL if you're on V7R1 and not up on PTFs.

I have one customer using GETURI that when they make the change they get the -13 NOT_SUPPORTED error, but it works find on V7R2 so it must be a some hyper PTF that isn't included.

Brad
www.bvstools.com

On Tue, Jun 2, 2015 at 8:58 AM, Matt Olson <Matt.Olson@xxxxxxxx> wrote:

If you follow this guide you will be golden with TLS and a bunch more
important security items:

Linux flavors:

https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/

Windows:

https://scotthelme.co.uk/getting-an-a-on-the-qualys-ssl-test-windows-e
dition/

More info on windows:

http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-an
d.html

-----Original Message-----
From: Steinmetz, Paul [mailto:PSteinmetz@xxxxxxxxxx]
Sent: Tuesday, June 02, 2015 8:36 AM
To: 'Midrange Systems Technical Discussion'
Subject: Disabling SSL version TLSV1 - only allowing TLSV1.1 and
TLSV1.2

To all,

I was just informed that *TLSV1 no longer passes PCI compliancy and
must be also be disabled.
Every one of my SSL connections is TLSV1.
Has anyone disabled TLSV1, only left TLSV1.1 and TLSV1.2 enabled?

Our IT staff informed me that most of our remote servers and
applications may need a combination of OS upgrades, application
upgrades, and/or application default changes.

I disabled TLSV1 on my playground LPAR, my PC would no longer connect
SSL via client access.

This is looking very ugly.

I'm looking for some good SSL links for various OS (i5OS, Windows,
CentOS) and application links also.

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.