× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



On V7.1 and *NETSECURE does not appear to be an option for QAUDLVL. LIC trace I have used before and remember seeing the cipher name listed there. I can start a trace to see what we are using before turning off RSA_3DES_EDE_CBC_SHA and then get rescanned.

Thanks Rob


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rob Berendt
Sent: Friday, January 13, 2017 9:58 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: SSL cipher list and PCI

Ciphers is one of those things that it is critical to know what version of the OS you are running.

There are two parts:
One, what ciphers do we support?
Two, what ciphers are actually consumed?

This is how they relate. Let's say you had a cipher called *EASILY_HACKED. Your auditors may want you to shut that one down. But you may have a concern if some vendor or something might be using that. So that's where the second question comes into play.

Now, from the 10,000 foot view, there are ways to see both.

Going back to your post...
You had a question if your PCI scanner calls it DES-CBC3-SHA while IBM may call it something else, like RSA_3DES_EDE_CBC_SHA.
The red flag I see from your scanner is CBC3. I would think that it should be 3DES-CBC so your concern is probably valid.

Some google searching for DES-CBC3-SHA shows hits but shuts right down if you add "IBM i"

See also:
"How to determine what System SSL/TLS protocols and cipher suites are used on the system"
http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzain/rzainhowtoprotocipher.htm?view=kc


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Mike Cunningham <mike.cunningham@xxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Cc: Randy Monroe <rmonroe@xxxxxxx>, Jim Williams Jr
<Jim.Williams@xxxxxxx>
Date: 01/13/2017 09:37 AM
Subject: SSL cipher list and PCI
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Our PCI external scanner send us the issue below, requesting us to remove
cipher DES-CBC3-SHA. Our list of ciphers in QSSLCSL (also below) does not
show this cipher being used. Would anyone know if the list IBM uses is the
standard name others would use for the same cipher? Or is there another
place for me to look for the ciphers we are using other than the QSSLCSL
list? (p.s. we do still have to allow for TLSV1 as one of our external
vendors has not removed that yet – planned for April of this year)

Thanks
Mike Cunningham

FAIL
Port 443
Protocol TCP
Service www
Title SSL Medium Strength Cipher Suites Supported

Synopsis:
The remote service supports the use of medium strength SSL ciphers.
Impact:
The remote host supports the use of SSL ciphers that offer medium strength
encryption. SecurityMetrics regards medium strength as any encryption that
uses key lengths at least 56 bits and less than 112 bits, or else that
uses the 3DES encryption suite. Note that it is considerably easier to
circumvent medium strength encryption if the attacker is on the same
physical network. See also :
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
Resolution:
Reconfigure the affected application if possible to avoid use of medium
strength ciphers.
Data Received:
Here is the list of medium strength SSL ciphers supported by the remote
server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are
: {OpenSSL ciphername} Kx={key exchange} Au={authentication}
Enc={symmetric encryption method} Mac={message authentication code}
{export flag}



System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list


Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5
Bottom

________________________________
This email may contain confidential information about a Pennsylvania
College of Technology student. It is intended solely for the use of the
recipient. This email may contain information that is considered an
“educational record” subject to the protections of the Family Educational
Rights and Privacy Act Regulations. The regulations may be found at 34
C.F.R. Part 99 for your reference. The recipient may only use or disclose
the information in accordance with the requirements of the Federal
Educational Rights and Privacy Act Regulations. If you have received this
transmission in error, please notify the sender immediately and
permanently delete the email.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD

________________________________
This email may contain confidential information about a Pennsylvania College of Technology student. It is intended solely for the use of the recipient. This email may contain information that is considered an “educational record” subject to the protections of the Family Educational Rights and Privacy Act Regulations. The regulations may be found at 34 C.F.R. Part 99 for your reference. The recipient may only use or disclose the information in accordance with the requirements of the Federal Educational Rights and Privacy Act Regulations. If you have received this transmission in error, please notify the sender immediately and permanently delete the email.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.