× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I think the problem is that this system hasn't been kept up to date with PTF's! I'm missing PTF SF99707 which added TLS 1.1 and 1.2 support to 7.1.


On 6/30/2015 7:36 PM, Steinmetz, Paul wrote:
Tim,

Just in case you didn't know this, you must also change the 3 SSL system values from default to custom, QSSLPCL will then allow TLSV1.2 or TLS1.1.

1) System value QSSLCSLCTL Secure sockets layer cipher control changed from *OPSYS to *USRDFN
2) System value QSSLPCL Secure sockets layer protocols changed from *OPSYS to *TLSV1 ; *TLSV1.1 ; *TLSV1.2
3) System value QSSLCSL Secure sockets layer cipher specification list
Changed from:
Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5

To:
Sequence Cipher
number Suite
0
10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Tim Bronski
Sent: Tuesday, June 30, 2015 1:27 PM
To: Midrange Systems Technical Discussion
Subject: Re: Where to find certificate info

I was just using the IBM i FTP client to run my tests. We don't use the IBM SSL support in our products so it's not an issue for me but after Justin's questions I got curious to see what TLS levels IBM supported at the various OS. I noticed that on 7.1 the only TLS option for the QSSLPCL setting is *TLSV1 which is why I said I didn't think it was supported since QSSLPCL settings appear to be the ultimate control. I did see the options on the FTP client application in DCM but I can't get
TLSV1.1 or 1.2 only to work for me. I also noticed (if you're testing out changes to the app via DCM) that if you've got a job up where you're running FTP client tests you have to sign off and on again before you see those effects in the client.

On 6/30/2015 5:50 PM, Steinmetz, Paul wrote:
Tim,

I'm having issues with other SSL clients TLS1.2 etc, haven't looked at FTP, see my other thread.
Exactly how are you invoking FTP with SSL?

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Tim Bronski
Sent: Tuesday, June 30, 2015 11:37 AM
To: Midrange Systems Technical Discussion
Subject: Re: Where to find certificate info

Did that already. If I have ONLY TLS1.1 and TLS1.2 selected and the
server ONLY supports TLS1.1 and TLS1.2 then it doesn't work. If the
server also supports TLS1.0 then it works. In fact if the server ONLY
supports TLS1.0 then it works even though I have specified only 1.1 or
1.2 for the client. It looks like all the buttons are there but they're not connected to anything.

Here's what I changed for QIBM_QTMF_FTP_CLIENT:

Under SSL protocols I've got TLS1.2 and TLS 1.1 checked only.
Under cipher specs I've selected "Define" with these six in this order:
RSA_AES_128_CBC_SHA256
RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA256
RSA_AES_256_CBC_SHA
RSA_3DES_EDE_CBC_SHA
RSA_RC4_128_SHA

I've selected "Define" on the signature algorithm but included all 6.

The rest I left as defaults.

On 6/30/2015 5:09 PM, Steinmetz, Paul wrote:
Tim,

In DCM, check your Application type: Client Application ID:
QIBM_QTMF_FTP_CLIENT

By default, a V7R1 system is *pgm, which is TLS1.0 SSL3.0 SSL2.0 You
probably need to change from default to TLS1.2 etc.

Also check/change the ciphers.

Update Application Definition

Application type: Client
Application ID: QIBM_QTMF_FTP_CLIENT
Application description: IBM i TCP/IP FTP Client Certificate Assigned:
None assigned

Information that can be updated:

SSL protocols
*PGM
Define protocols supported:
TLS 1.2
TLS 1.1
TLS 1.0
SSL 3.0
SSL 2.0

SSL cipher specification options
*PGM
Define cipher specification list: Order
RSA_AES_128_CBC_SHA256 >
RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA256
RSA_AES_256_CBC_SHA
RSA_3DES_EDE_CBC_SHA
RSA_RC4_128_SHA
RSA_RC4_128_MD5
RSA_DES_CBC_SHA
RSA_EXPORT_RC2_CBC_40_MD5
RSA_EXPORT_RC4_40_MD5
RSA_NULL_SHA256
RSA_NULL_SHA
RSA_NULL_MD5
RSA_RC2_CBC_128_MD5
RSA_3DES_EDE_CBC_MD5
RSA_DES_CBC_MD5

Extended renegotiation critical mode processing: *PGM Enable Disable
Special indicators:

Define the CA trust list: Yes No
Certificate Revocation List (CRL) checking: Yes No

Online Certificate Status Protocol (OCSP) attributes:
OCSP URL: *PGM Disable Define URL value
URL value:
OCSP Authority Information Access (AIA) processing: *PGM Enable
Disable

SSL signature algorithms
*PGM
Define signature algorithms supported: Order
RSA_SHA512
RSA_SHA384
RSA_SHA256
RSA_SHA224
RSA_SHA1
RSA_MD5

Paul


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Tim Bronski
Sent: Tuesday, June 30, 2015 10:46 AM
To: Midrange Systems Technical Discussion
Subject: Re: Where to find certificate info

Did they say this was with a particular PTF? I cannot connect from my
7.1 machine to an FTP server IF the server is configured to only
accept
TLS1.2 or even TLS1.1. Only TLS1.0 will work.

On 6/29/2015 9:36 PM, Justin Taylor wrote:
I talked to IBM and 7.1 does support TLS 1.2.



-----Original Message-----
From: Tim Bronski [mailto:tim.bronski@xxxxxxxxx]
Sent: Monday, June 29, 2015 8:51 AM
To: Midrange Systems Technical Discussion
Subject: Re: Where to find certificate info

I might need to correct the OS version level I gave for TLS1.2 support.
I just checked my V7.2 machine and it's there but it's not on my V7.1 box.

--
Need sFTP or PGP? Download your native sFTP or OpenPGP solutions here:
www.arpeggiosoftware.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

--
Need sFTP or PGP? Download your native sFTP or OpenPGP solutions here:
www.arpeggiosoftware.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

--
Need sFTP or PGP? Download your native sFTP or OpenPGP solutions here:
www.arpeggiosoftware.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.