To all,

This was from another thread I posted back in July related to SSL Current Version, RC4 ciphers.

IBM has released two PTFs to resolve SSL client issues, MF60335, SI57332

http://www-01.ibm.com/support/docview.wss?uid=nas35a3400efeeb413d086257e7e007eb665
http://www-01.ibm.com/support/docview.wss?uid=nas24e5145dca463e43586257e6f003c6da7

http://www-912.ibm.com/a_dir/as4ptf.nsf/b3cb9d42f672b70f86256739004afa0f/9d8f3c581309ec3886257e7e007eb678?OpenDocument
http://www-01.ibm.com/support/docview.wss?uid=nas22105ec3f6fa1476986257e74003c6ed6

Applied to both Production and R&D LPAR, issue resolved.

Make sure you run the special instructions SST Advanced Analysis SSLCONFIG MACRO. !!!!!!
1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h
-eligibleDefaultProtocols:10,08,04 or as needed.

If your iSeries is a client, get these two PTFs installed ASAP.

Note:!!!!!!
Not only was my SSL client connection issue resolved, but other apps previously connecting at TLSv1 are now connecting at TLSv1.2 or TLSv1.1.
Also, another app previously connecting TLSv1.0 using RC4 weak cipher now connecting at TLSv1.2 with TLS_RSA_WITH_AES_128_CBC_SHA2

Good job IBM.
Quick turnaround.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Saturday, December 19, 2015 4:02 PM
To: Midrange Systems Technical Discussion
Subject: Re: Client Access, Access Client and certificates

Paul,

If the software vendors are using the system SSL APIs then software updates shouldn't be needed unless they have settings hard-coded. By default the APIs "should" use the system settings. I say "should" because they don't always.

I went through this with a customer using our GETURI software that uses SSL. We had ours set to use the system SSL settings and for some reason it wasn't in this case.

The situation is described here:
http://www.fieldexit.com/forum/display?threadid=170

So, I added a flag to our software to get around that while IBM fixed their stuff. :)

Anyhow, expect more SSL problems down the road. It's been pretty bumpy.
With forcing everyone to move to new versions it's going to also force many V5Rx and V6Rx users to V7Rx... (and consequently new hardware most likely).

Brard
www.bvstools.com

On Sat, Dec 19, 2015 at 1:29 PM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
wrote:

Mike,

There have been several SSL PTFs recently.
These have all been related to disabling SSLv2, SSLv3, and TLSv1.0,
only allowing TLSv1.1 or TLSv1.2.
Along with this is disabling SHA1 certs, using new SHA256 certs.
SHA1 certs will be expiring, and will not be able to be renewed.
If the remote device, whether be a desktop or sever, was using one of
the older versions and/or certs, and not updated for the new, this
would cause a failure.
We also had issues with 3rd party i5 products, still waiting for
those
TLSv1.1 upgrades..
There are more changes scheduled for 2016.
We were just informed that if our credit card system is running
TLSv1.0 on 7/1/2016, credit cards will stop working because the banks
will no longer be accepting TLSv1.0.
We are currently awaiting for the TLSv1.1 upgrade from Curbstone.

I now have a SSL socket trace running on a daily basis, monitoring all
the SSL versions and certs being used.

Paul

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.


This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].