× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2016

RE: TLS 1.2 on 7.1 - cipher suite mismatch issues

Mike,

If possible could you send me your site name that uses 1.2 so I can compare
against my site using www.ssslabs.com?

Also if you have any 1.2 specific details in your http config file could you
send them on too?

Thanks,

David

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of David
Dunnion
Sent: 22 January 2016 21:02
To: 'Midrange Systems Technical Discussion'
Subject: RE: TLS 1.2 on 7.1 - cipher suite mismatch issues

Thanks for that we have the same and also these two which I think came with
TR6:

*RSA_AES_256_CBC_SHA256
*RSA_AES_128_CBC_SHA256

Totally stumped now.

Thanks,

David
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Mike
Cunningham
Sent: 22 January 2016 18:33
To: Midrange Systems Technical Discussion
Subject: RE: TLS 1.2 on 7.1 - cipher suite mismatch issues

We have what IBM ships. Cipher suites re not my strong suit so I don't know
if any of these are ECDHE. Chrome does show the connection as
AES_128_CBC_SHA TLS 1.2



*RSA_AES_128_CBC_SHA

*RSA_RC4_128_SHA

*RSA_RC4_128_MD5

*RSA_AES_256_CBC_SHA

*RSA_3DES_EDE_CBC_SHA

*RSA_DES_CBC_SHA

*RSA_EXPORT_RC4_40_MD5

*RSA_EXPORT_RC2_CBC_40_MD5

*RSA_NULL_SHA

*RSA_NULL_MD5



-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of David
Dunnion
Sent: Friday, January 22, 2016 12:51 PM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxx>
Subject: RE: TLS 1.2 on 7.1 - cipher suite mismatch issues



Mike,



I have Chrome 47 too and I can access other sites using 1.2 no problem. The
same goes for the IE versions and Firefox versions I am using to test (on
Win 7 & 10), I can open other sites using 1.2 but not my own.



I'm using a Comodo cert which I just changed to 4096 bit. In the ssslabs
report there is a warning about 'Chain issues: Contains anchor', so I plan
on removing a root cert tonight to get rid of this message and hopefully it
might help.



Does your iSeries have the newer ECDHE cipher suites?



Thanks,



David



-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Mike
Cunningham

Sent: 22 January 2016 17:30

To: Midrange Systems Technical Discussion

Subject: RE: TLS 1.2 on 7.1 - cipher suite mismatch issues



Don't look server side. Problem is more likely in the browser. Early
versions of IE did not enable TLS 1.1 and 1.2 by default. You have to turn
them on. In some versions of IE turning on 1.1 and 1.2 and turning off 1.0
does not make a connection but turning off 1.2 and turning 1.0 back on makes

1.1 work. I am using Chrome 47 and can connect TLS 1.2 to my iSeries



Check here to find the browser you need

https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browse

rs

Notice that IE is also dependent on the OS



Do you happen to use a Verisign certificate on your iSeries? We discovered
recently, with a lot of help from IBM, that a root certificate from verisign
was causing a problem with Client Access connecting SSL (telnet SSL worked
but the rest of Client Access would not work SSL). When we put a newer root
certificate on it broke older versions of Client Access telnet SSL. Working
now to get those systems current.



-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of David
Dunnion

Sent: Friday, January 22, 2016 11:53 AM

To: midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>

Subject: TLS 1.2 on 7.1 - cipher suite mismatch issues



Hi,





I have TLS 1.2 enabled for my HTTP server but it's only working for certain
browsers, IE 11 & Edge and some older browser versions. In Chrome I get the
error "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" and Firefox gives the error
"ssl_error_protocol_version_alert" and the site doesn't load.





In my test HTTP config file I have set my cipher suite list like below which
matches the only cipher suites I have on my system (7.1, TR7) that Chrome

supports:





SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA



SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA



SSLCipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA





But I still can't get a connection. Using
www.ssllabs.com/ssltest/<http://www.ssllabs.com/ssltest/> I have checked
some other sites which work fine for TLS 1.2 using the AES_128_CBC cipher.
The only difference being those sites also have the more modern ECDHE cipher
suites listed too even though they are not used for the connection. I can't
go to 7.2 with this box for a long time.





Has anyone come across this problem before on 7.1?





Thanks,





David







--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,
unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.



Please contact support@xxxxxxxxxxxx<mailto:support@xxxxxxxxxxxx> for any
subscription related questions.

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,
unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.



Please contact support@xxxxxxxxxxxx<mailto:support@xxxxxxxxxxxx> for any
subscription related questions.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email:
MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,
unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.



Please contact support@xxxxxxxxxxxx<mailto:support@xxxxxxxxxxxx> for any
subscription related questions.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.