× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2017

RE: SSL Cipher Support and V7R1... and so it begins

Brad,

We process credit cards using Curbstone C2 with TSYS.
No issues thus far.
Do we need to be concerned?
Our V7R1 to V7R3 upgrade was delayed to 1st quarter 2018.

We're running a customized SSL, (provided by PTFs from IBM)
Combination of changing the 3 system values below and SST SSLCONFIG

QSSLCSL *SEC Secure sockets layer cipher specification list
QSSLCSLCTL *SEC Secure sockets layer cipher control
QSSLPCL *SEC Secure sockets layer protocols


Running macro: SSLCONFIG -DISPLAY

Current configuration
SSL Eligible Default Protocol List . . : TLSv1.2
TLSv1.1
TLSv1.0
SSL Default Protocol List. . . . . . . : TLSv1.2
TLSv1.1
TLSv1.0
SSL Eligible Default Cipher Suites . . : RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA
RSA_AES_128_CBC_SHA256*
RSA_AES_256_CBC_SHA256*
SSL Default Cipher Suite List. . . . . : RSA_AES_256_CBC_SHA256*
RSA_AES_128_CBC_SHA256*
RSA_AES_128_CBC_SHA*
RSA_AES_256_CBC_SHA*
SSL Renegotiation without RFC 5746 . . : None
SSL Server Requires RFC 5746 . . . . . : Off
SSL Client Requires RFC 5746 . . . . . : Off
SSL Default Signature Algorithm List . : RSA with SHA512
RSA with SHA384
RSA with SHA256
RSA with SHA224
RSA with SHA1
SSL Supported Signature Algorithm List . . . . : RSA with SHA512
RSA with SHA384
RSA with SHA256
RSA with SHA224
RSA with SHA1
RSA with MD5
RSA with SHA384
RSA with SHA256
RSA with SHA224
RSA with SHA1
SSL Supported Signature Algorithm List . . . . : RSA with SHA512
RSA with SHA384
RSA with SHA256
RSA with SHA224
RSA with SHA1
RSA with MD5
SSL Connection Counters . . . . . . . : Disabled
Maximum Number of Global OCSP Response Cache Entries . . : NOLIMIT
Object Flush Latency . . . . . . . . . : 500 ms
PTF Level . . . . . . . . . . . . . . : 4

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Monday, July 10, 2017 9:42 AM
To: Midrange Systems Technical Discussion
Subject: Re: SSL Cipher Support and V7R1... and so it begins

Larry, I agree. But I think most are going to run into trouble because of ignorance (and I don't mean that in a derogatory way). I don't think IBM sent out newsletters for this. (I did, but I know
hardly anyone reads them.) And I treat my customers like my kids in
that "they can do no wrong" (unless they don't know how to add a library to a library list..haha)

Paul, if these companies are using GETURI or HTTPAPI (or other) to consume web services and the web server is using a newer cert with newer cihpers that aren't available on V7R1 the IBM i just says "nope.. I can't do that" with no option to bypass. As far as your new certificate, you probably got lucky (or specifically selected) ciphers still supported by V7R1.

This issue is dealing with credit card processing companies. So far all 3 have been processing credit cards. 1 was able to upgrade to
V7R3 overnight... which was nice. The others are basically dead in the water.

Even though the handshake API says that as long as a certificate is presented, you can use a procedure to bypass it, but it seems all that really works for is the not trusted error (-23). It doesn't work for
-1 (no ciphers) or -24 (expired cert). Don't get me started on how stupid the -24 expired cert error is...

Just wanted to mainly put out a warning. Shops these days are not like they were in the past with operator(s) and programmers. Not many shops have someone scouring IBM release notes and messages (and mailing lists) making sure things are working. There's no time for that when you're a sole programmer also wearing an operator hat. :)

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #13: The ability to use an IFS stream file as the body of the email (either text or html).

On Mon, Jul 10, 2017 at 8:30 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx> wrote:
Brad,

What is the issue here.
We're on V7R1, latest CUM and groups, our wildcard SHA256 cert expired June 30, just upgraded to a new SHA256 cert.
Everything working.
We did experience the 24 SSL_ERROR_CERT_EXPIRED error.
Had to delete the expired certs from DCM.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Bradley Stone
Sent: Monday, July 10, 2017 9:05 AM
To: Midrange Systems Technical Discussion
Subject: SSL Cipher Support and V7R1... and so it begins

I believe June or July 2017 was a deadline for financial institutions to update their SSL certificates to the latest and greatest.

3 customers in one week so far have been affected, but only because they are on V7R1. The only option is to update to V7R2 or higher. 2 out of 3 say they need new hardware to update to a new OS. So not really "free".

I would be on the lookout if you use GETURI, HTTPAPI, or any other socket application that uses SSL to communicate with financial institutions if you're on V7R1 or lower. It will most likely stop working soon if it hasn't already.

The only other option I can see to do, since IBM won't install the new ciphers, is possibly ask them to update the SSL Handshake API to allow you to bypass the RC(-1) No Ciphers error (and others like -24 SSL_ERROR_CERT_EXPIRED which is stupid anyhow) like you can with the not trusted handshake error.

Wishful thinking. :)


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #6: Easily send group emails with Distribution Lists
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.