RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2 -- MIDRANGE-L

I opened a PMR with IBM.

Learned that each IBM application also needs to have its SSL default settings changed.

Enable Telnet and Host servers

http://www-01.ibm.com/support/docview.wss?uid=nas8N1019971

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020017

At V7R1, all IBM apps use default, this can be seen via DCM, update Application Definition.

One example, Application ID: QIBM_QTV_TELNET_SERVER, has the below default settings, which are all set to *PGM (not sure what V7R1 *PGM is at this point, looking for this documentation, anyone have this).

Each app needs to be changed from *PGM and customized for the desired SSL needed.

Each app needs to be recycled for the SSL changes to take effect, which is different than changing the i5/OS system values QSSL*.

At V7R2, *PGM has different defaults, may not need as many changes, if any.

Update Application Definition
Application type: Server

Application ID: QIBM_QTV_TELNET_SERVER

Application description: IBM i TCP/IP Telnet Server

Certificate Assigned: PENCOR0115WCSHA256

Information that can be updated:
SSL protocols

*PGM

Define protocols supported:

TLS 1.2

TLS 1.1

TLS 1.0

SSL 3.0

SSL 2.0

SSL cipher specification options

*PGM

Define cipher specification list:

Order

RSA_AES_128_CBC_SHA256

RSA_AES_128_CBC_SHA

RSA_AES_256_CBC_SHA256

RSA_AES_256_CBC_SHA

RSA_3DES_EDE_CBC_SHA

RSA_RC4_128_SHA

RSA_RC4_128_MD5

RSA_DES_CBC_SHA

RSA_EXPORT_RC2_CBC_40_MD5

RSA_EXPORT_RC4_40_MD5

RSA_NULL_SHA256

RSA_NULL_SHA

RSA_NULL_MD5

RSA_RC2_CBC_128_MD5

RSA_3DES_EDE_CBC_MD5

RSA_DES_CBC_MD5

Extended renegotiation critical mode processing:

*PGM Enable Disable

Server Name Indication (SNI):

Special indicators:

(The following information applies when client authentication is enabled)
Client authentication required:

Yes No

Define the CA trust list:

Yes No

Certificate Revocation List (CRL) checking:

Yes No

Online Certificate Status Protocol (OCSP) attributes:

OCSP URL: *PGM Disable Define URL value

URL value:

OCSP Authority Information Access (AIA) processing: *PGM Enable Disable

SSL signature algorithms

*PGM

Define signature algorithms supported:

Order

RSA_SHA512

RSA_SHA384

RSA_SHA256

RSA_SHA224

RSA_SHA1

RSA_MD5

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of JWGrant@xxxxxxxxxxxxxxx
Sent: Tuesday, June 02, 2015 12:52 PM
To: Midrange Systems Technical Discussion
Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2

We have been working on this issue with our LPAR's for several weeks now.

As you discovered you need to be careful just changing the system values to limit to TLS V1.1 and higer as you will break secure Telnet.

You can through a combination of system values set the ciphers supported to values that support the lower secure TLSv1 for telnet but then overide to only support higher secure protocls for web servers through the use of Apache directives (don't attempt to override the SSL PROTOCOL in DCM for apache web servers as it does not work, these must be done in the apache directives)

However, you also then need to evaluate the browsers. Modern browser like safari, chrome, firefox (at current levels have no issues) but Internet Exploxer can be problematic. IE8, IE9 can support TLS but not right out of the box (windows patches are required). IE10 out of the box supports TLS 1.2 but is not enabled by default, you need to turn on ssl 1.2 in the settings.

If you are on IBMi V7R1 TR6 or higher you should be okay.

Jim

Jim W Grant

Web: www.pdpgroupinc.com<http://www.pdpgroupinc.com>

From: Phil McCullough <Phil.McCullough@xxxxxxxx<mailto:Phil.McCullough@xxxxxxxx>>

To: "'Midrange Systems Technical Discussion'"

<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>

Date: 06/02/2015 11:35 AM

Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1

and TLSV1.2

Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>

Hey,

Can you help me with some Microsoft licensing questions?

Thanks

Phil

-----Original Message-----

From: Matt Olson [mailto:Matt.Olson@xxxxxxxx]

Sent: Tuesday, June 02, 2015 8:58 AM

To: Midrange Systems Technical Discussion

Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and

TLSV1.2

If you follow this guide you will be golden with TLS and a bunch more

important security items:

Linux flavors:

https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/

Windows:

https://scotthelme.co.uk/getting-an-a-on-the-qualys-ssl-test-windows-edition/

More info on windows:

http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html

-----Original Message-----

From: Steinmetz, Paul [mailto:PSteinmetz@xxxxxxxxxx]

Sent: Tuesday, June 02, 2015 8:36 AM

To: 'Midrange Systems Technical Discussion'

Subject: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2

To all,

I was just informed that *TLSV1 no longer passes PCI compliancy and must

be also be disabled.

Every one of my SSL connections is TLSV1.

Has anyone disabled TLSV1, only left TLSV1.1 and TLSV1.2 enabled?

Our IT staff informed me that most of our remote servers and applications

may need a combination of OS upgrades, application upgrades, and/or

application default changes.

I disabled TLSV1 on my playground LPAR, my PC would no longer connect SSL

via client access.

This is looking very ugly.

I'm looking for some good SSL links for various OS (i5OS, Windows, CentOS)

and application links also.

Thank You

_____

Paul Steinmetz

IBM i Systems Administrator

Pencor Services, Inc.

462 Delaware Ave

Palmerton Pa 18071

610-826-9117 work

610-826-9188 fax

610-349-0913 cell

610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx%3cmailto:psteinmetz@xxxxxxxxxx>>

http://www.pencor.com/

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a

moment to review the archives at http://archive.midrange.com/midrange-l.

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a

moment to review the archives at http://archive.midrange.com/midrange-l.

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.