× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Larry, I agree. But I think most are going to run into trouble
because of ignorance (and I don't mean that in a derogatory way). I
don't think IBM sent out newsletters for this. (I did, but I know
hardly anyone reads them.) And I treat my customers like my kids in
that "they can do no wrong" (unless they don't know how to add a
library to a library list..haha)

Paul, if these companies are using GETURI or HTTPAPI (or other) to
consume web services and the web server is using a newer cert with
newer cihpers that aren't available on V7R1 the IBM i just says
"nope.. I can't do that" with no option to bypass. As far as your new
certificate, you probably got lucky (or specifically selected) ciphers
still supported by V7R1.

This issue is dealing with credit card processing companies. So far
all 3 have been processing credit cards. 1 was able to upgrade to
V7R3 overnight... which was nice. The others are basically dead in
the water.

Even though the handshake API says that as long as a certificate is
presented, you can use a procedure to bypass it, but it seems all that
really works for is the not trusted error (-23). It doesn't work for
-1 (no ciphers) or -24 (expired cert). Don't get me started on how
stupid the -24 expired cert error is...

Just wanted to mainly put out a warning. Shops these days are not
like they were in the past with operator(s) and programmers. Not many
shops have someone scouring IBM release notes and messages (and
mailing lists) making sure things are working. There's no time for
that when you're a sole programmer also wearing an operator hat. :)

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #13: The ability to use an IFS stream file as the
body of the email (either text or html).

On Mon, Jul 10, 2017 at 8:30 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx> wrote:
Brad,

What is the issue here.
We're on V7R1, latest CUM and groups, our wildcard SHA256 cert expired June 30, just upgraded to a new SHA256 cert.
Everything working.
We did experience the 24 SSL_ERROR_CERT_EXPIRED error.
Had to delete the expired certs from DCM.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Monday, July 10, 2017 9:05 AM
To: Midrange Systems Technical Discussion
Subject: SSL Cipher Support and V7R1... and so it begins

I believe June or July 2017 was a deadline for financial institutions to update their SSL certificates to the latest and greatest.

3 customers in one week so far have been affected, but only because they are on V7R1. The only option is to update to V7R2 or higher. 2 out of 3 say they need new hardware to update to a new OS. So not really "free".

I would be on the lookout if you use GETURI, HTTPAPI, or any other socket application that uses SSL to communicate with financial institutions if you're on V7R1 or lower. It will most likely stop working soon if it hasn't already.

The only other option I can see to do, since IBM won't install the new ciphers, is possibly ask them to update the SSL Handshake API to allow you to bypass the RC(-1) No Ciphers error (and others like -24 SSL_ERROR_CERT_EXPIRED which is stupid anyhow) like you can with the not trusted handshake error.

Wishful thinking. :)


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #6: Easily send group emails with Distribution Lists
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.