× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2016

Re: V7R1 is not supported anymore (at least for SSL ciphers)

This is the one in question:

ECDHE_RSA_AES_256_GCM_SHA384

I don't believe this is part of the fix. I remember this one. My client
apps wouldn't use the default ciphers unless they told the application to
use them (through the APIs them selves), or applied this PTF.

Brad
www.bvstools.com

On Tue, Dec 20, 2016 at 10:56 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
wrote:

Brad,

I believe so.

You need to first change the 3 QSSL* system values from default to custom
values.
Then apply the PTFs.
Then Make sure you run the special instructions SST Advanced Analysis >
SSLCONFIG MACRO. !!!!!!


From the (Advanced analysis) (SSLCONFIG) help text.

-eligibleDefaultCipherSuites:<cipherSuiteNumber>[,<cipherSuiteNumber>...]
Set the System SSL eligible default cipher suite list.
This option takes a comma separated list of numbers
to determine the eligible default cipher suites. This list
is used along with QSSLCSL to generate the default cipher
suite list used by System SSL.
CipherSuiteNumber CipherSuiteName
----------------- ---------------
04 RSA_RC4_128_MD5
05 RSA_RC4_128_SHA
0A RSA_3DES_EDE_CBC_SHA
2F RSA_AES_128_CBC_SHA
35 RSA_AES_256_CBC_SHA
3C RSA_AES_128_CBC_SHA256
3D RSA_AES_256_CBC_SHA256

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Bradley Stone
Sent: Tuesday, December 20, 2016 11:45 AM
To: Midrange Systems Technical Discussion
Subject: Re: V7R1 is not supported anymore (at least for SSL ciphers)

Paul,

Does this fix add newer ciphers? I would have expected if there was a PTF
that fixed my customer's problem they would have been pointed to these PTFs.

I just want to make sure before I pass along the info. Thanks!

Brad
www.bvstools.com

On Tue, Dec 20, 2016 at 10:36 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
wrote:

From an old post of mine,

IBM released two V7R1 PTFs to resolve SSL client issues, MF60335,
SI57332.
These PTF allowed you to change the SSL defaults, which was needed for
some 3rd party products to function.
Make sure you run the special instructions SST Advanced Analysis
SSLCONFIG MACRO. !!!!!!

http://www-01.ibm.com/support/docview.wss?uid=
nas35a3400efeeb413d086257e7e007eb665
http://www-01.ibm.com/support/docview.wss?uid=
nas24e5145dca463e43586257e6f003c6da7

http://www-912.ibm.com/a_dir/as4ptf.nsf/b3cb9d42f672b70f86256739004afa
0f/ 9d8f3c581309ec3886257e7e007eb678?OpenDocument
http://www-01.ibm.com/support/docview.wss?uid=
nas22105ec3f6fa1476986257e74003c6ed6

1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h
-eligibleDefaultProtocols:10,08,04 or as needed.

If your iSeries is a client, get these two PTFs installed ASAP.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Mark Murphy/STAR BASE Consulting Inc.
Sent: Tuesday, December 20, 2016 11:23 AM
To: Midrange Systems Technical Discussion
Subject: Re: V7R1 is not supported anymore (at least for SSL ciphers)

That is only in the default value. The ciphers are still available if
you roll down the page you will see the valid values.

Mark Murphy
Atlas Data Systems
mmurphy@xxxxxxxxxxxxxxx


-----Rob Berendt <rob@xxxxxxxxx> wrote: -----
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
From: Rob Berendt <rob@xxxxxxxxx>
Date: 12/20/2016 08:49AM
Subject: Re: V7R1 is not supported anymore (at least for SSL ciphers)


Good links Joe.
You'll also see the 7.3 dropped many that 7.2 supported but didn't add
any that are not available to 7.2
http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/
rzakz/rzakzqsslcsl.htm
<snip>
http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/
rzakz/rzakzqsslcsl.htm
http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/
rzakz/rzakzqsslcsl.htm
</snip>

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.