This was from another thread I posted back in July related to SSL Current
Version, RC4 ciphers.
IBM has released two PTFs to resolve SSL client issues, MF60335, SI57332
Applied to both Production and R&D LPAR, issue resolved.
Make sure you run the special instructions SST Advanced Analysis SSLCONFIG
1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h
-eligibleDefaultProtocols:10,08,04 or as needed.
If your iSeries is a client, get these two PTFs installed ASAP.
Not only was my SSL client connection issue resolved, but other apps
previously connecting at TLSv1 are now connecting at TLSv1.2 or TLSv1.1.
Also, another app previously connecting TLSv1.0 using RC4 weak cipher now
connecting at TLSv1.2 with TLS_RSA_WITH_AES_128_CBC_SHA2
Good job IBM.
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Sent: Saturday, December 19, 2015 4:02 PM
To: Midrange Systems Technical Discussion
Subject: Re: Client Access, Access Client and certificates
If the software vendors are using the system SSL APIs then software
updates shouldn't be needed unless they have settings hard-coded. By
default the APIs "should" use the system settings. I say "should" because
they don't always.
I went through this with a customer using our GETURI software that uses
SSL. We had ours set to use the system SSL settings and for some reason it
wasn't in this case.
The situation is described here:
So, I added a flag to our software to get around that while IBM fixed
their stuff. :)
Anyhow, expect more SSL problems down the road. It's been pretty bumpy.
With forcing everyone to move to new versions it's going to also force
many V5Rx and V6Rx users to V7Rx... (and consequently new hardware most
On Sat, Dec 19, 2015 at 1:29 PM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
There have been several SSL PTFs recently.
These have all been related to disabling SSLv2, SSLv3, and TLSv1.0,
only allowing TLSv1.1 or TLSv1.2.
Along with this is disabling SHA1 certs, using new SHA256 certs.
SHA1 certs will be expiring, and will not be able to be renewed.
If the remote device, whether be a desktop or sever, was using one of
the older versions and/or certs, and not updated for the new, this
would cause a failure.
We also had issues with 3rd party i5 products, still waiting for
There are more changes scheduled for 2016.
We were just informed that if our credit card system is running
TLSv1.0 on 7/1/2016, credit cards will stop working because the banks
will no longer be accepting TLSv1.0.
We are currently awaiting for the TLSv1.1 upgrade from Curbstone.
I now have a SSL socket trace running on a daily basis, monitoring all
the SSL versions and certs being used.
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives