Hi All,

After further investigation I think the incompatibility of cyphers on each
end is not possible to be solved without upgrade to 7.2 / 7.3

Would anybody be able to confirm this or any alternative.

Thank you again


Don Brown





From: Don Brown <DBrown@xxxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date: 18/08/2016 03:52 PM
Subject: (GSKit) No compatible cipher suite available between SSL
end points.
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Hi All,

I really thought I could sort this out without help but ...

Would really appreciate any suggestions.

We are on V7R1 and fairly up to date on PTF's

I have updated system value QSSLPCL to have the following values;
*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3

I have updated to HTTPAPI V1.32

A secure gateway we use has advised they are updating their security -
they advised ...

• The SSL security certificate version will be upgraded to SHA-256 hashing

algorithm
• Only Transport Layer 1.1 and 1.2 protocols to be accepted. (any previous

versions will not be accepted)
• Updates to accepted Ciphers:
AES256-GCM-SHA384:
AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES256-CBC-SHA:
ECDHE-RSA-AES128-SHA256:
ECDHE-RSA-AES128-CBC-SHA

I have exported the Root and intermediate certificates from the site and
loaded into DCM successfully

The debug.txt shows the error.

HTTPAPI Ver 1.32 released 2016-02-10
NTLM Ver 1.4.0 released 2014-12-22
OS/400 Ver V7R1M0

http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'00000136'
DNS default domain: MSD.local
DNS server found: 10.1.1.31
DNS server found: 139.130.4.4
Nagle's algorithm (TCP_NODELAY) disabled.
SNI hostname set to: test.securepay.com.au
(GSKit) No compatible cipher suite available between SSL end points.
ssl_error(402): (GSKit) No compatible cipher suite available between SSL
end points.
SetError() #30: SSL Handshake: (GSKit) No compatible cipher suite
available between SSL end poin

The list of cyphers does not match the knowledge centre reference for 7.1
- I have
*RSA_AES_128_CBC_SHA256
*RSA_AES_128_CBC_SHA
*RSA_RC4_128_SHA
*RSA_RC4_128_MD5
*RSA_AES_256_CBC_SHA256
*RSA_AES_256_CBC_SHA
*RSA_3DES_EDE_CBC_SHA
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_NULL_SHA256
*RSA_NULL_SHA
*RSA_NULL_MD5


Thank you for any assistance

Don Brown


This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].