× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2015

RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2

Jim,

I've successfully disabled TLSV1 for TELNET.
TELNET now connecting via TLSV1.2.
You need to go into DCM, and change the SSL defaults per the links below.

http://www-01.ibm.com/support/docview.wss?uid=nas8N1019971

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020017

Paul



-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of JWGrant@xxxxxxxxxxxxxxx
Sent: Tuesday, June 02, 2015 12:52 PM
To: Midrange Systems Technical Discussion
Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2

We have been working on this issue with our LPAR's for several weeks now.

As you discovered you need to be careful just changing the system values to limit to TLS V1.1 and higer as you will break secure Telnet.

You can through a combination of system values set the ciphers supported to values that support the lower secure TLSv1 for telnet but then overide to only support higher secure protocls for web servers through the use of Apache directives (don't attempt to override the SSL PROTOCOL in DCM for apache web servers as it does not work, these must be done in the apache directives)

However, you also then need to evaluate the browsers. Modern browser like safari, chrome, firefox (at current levels have no issues) but Internet Exploxer can be problematic. IE8, IE9 can support TLS but not right out of the box (windows patches are required). IE10 out of the box supports TLS 1.2 but is not enabled by default, you need to turn on ssl 1.2 in the settings.

If you are on IBMi V7R1 TR6 or higher you should be okay.

Jim

Jim W Grant
Web: www.pdpgroupinc.com




From: Phil McCullough <Phil.McCullough@xxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 06/02/2015 11:35 AM
Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1
and TLSV1.2
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Hey,
Can you help me with some Microsoft licensing questions?
Thanks
Phil

-----Original Message-----
From: Matt Olson [mailto:Matt.Olson@xxxxxxxx]
Sent: Tuesday, June 02, 2015 8:58 AM
To: Midrange Systems Technical Discussion
Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and
TLSV1.2

If you follow this guide you will be golden with TLS and a bunch more
important security items:

Linux flavors:

https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/

Windows:

https://scotthelme.co.uk/getting-an-a-on-the-qualys-ssl-test-windows-edition/


More info on windows:

http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html




-----Original Message-----
From: Steinmetz, Paul [mailto:PSteinmetz@xxxxxxxxxx]
Sent: Tuesday, June 02, 2015 8:36 AM
To: 'Midrange Systems Technical Discussion'
Subject: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2

To all,

I was just informed that *TLSV1 no longer passes PCI compliancy and must
be also be disabled.
Every one of my SSL connections is TLSV1.
Has anyone disabled TLSV1, only left TLSV1.1 and TLSV1.2 enabled?

Our IT staff informed me that most of our remote servers and applications
may need a combination of OS upgrades, application upgrades, and/or
application default changes.

I disabled TLSV1 on my playground LPAR, my PC would no longer connect SSL
via client access.

This is looking very ugly.

I'm looking for some good SSL links for various OS (i5OS, Windows, CentOS)
and application links also.

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.