Re: SSL Cipher Support and V7R1... and so it begins

On 7/10/2017 8:21 PM, midrange wrote:

I would only ever so slightly disagree with where this post has gone...
a. It's been IBM's practice to maintain 3 releases (not 100% always 3, but
close) - and the customers on 7.1 or even earlier are "paying for
maintenance"

'Maintain' perhaps, 'Continue to Enhance' No.

b. IBM does do hiper and maintenance fixes for 7.1 - it's just that IBM is
more selective about what they will fix.

If it's broken they fix it. But adding new ciphers isn't really 'broken' it's enhancing. They are no longer enhancing i 7.1 and said that a year ago.

c. in the past, whether it's a security issue or an industry standards issue
IBM has released fixes for the "3rd release"- they currently (if I
understand this thread..) are just deciding it's not worth (time, effort,
resources, $$) to fix this or treat it as importantly as some of us think
- although I am very intrigued by the ptf steps Paul has posted and need to
investigate...

This may be your perception but I do not recall IBM adding significant new function to a releases two back from current with a stated end of support date. They already have provided two new releases with that support in them and one has been available for more than three years.

I'm sitting in a shop on 7.1 - and like Paul, our upgrade is out in the
future, and it's big enough and complex enough that for the many involved it
is many, many months of planning, execution to a test system, testing, and
roll it up to production (much of this process made longer by 2 separate
occasions where just the DB2 fixes IBM was doing for the new sql engine
"broke" our production - and management still remembers....

I've no desire to prolong the argument - we should all have up to date
systems - but IBM has recognized not all move together , and do keep 3
"supported" releases. and they do an incredible amount of backward
compatibility, but in this case, they are saying "maintenance or not,, we
are not fixing it".

Again it is not 'broken' is is simply Out Of Date. NEW things are required to support newer ciphers etc. These are not part of i 7.1. They are NOT easily added and it took a new release (i 7.2) to provide them.

Did the Automakers put airbags in cars already on the road when the government made them mandatory? Of course not. Not even cars still covered under the manufacturer original warranty got them. Yet they were required AND a good idea going forward. Owners had to take action to get a car with that feature.

1993 IBM ad campaign (I still have the posters)
You don't need an army to run the system
You don't have to be a slave to the system
The next generation won't need to change the system (well, 2 out of 3 not
bad..)

They don't need to change it, just upgrade it or fall behind!

You can argue all day that the path that IBM has provided for you is not the one you wish to take. But it is a valid, documented, supported, and best practice path. Resistance is futile!!


- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.>

Jim Franz


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
DrFranken
Sent: Monday, July 10, 2017 9:29 AM
To: Midrange Systems Technical Discussion; Bradley Stone
Subject: Re: SSL Cipher Support and V7R1... and so it begins

And so we are again bitten by the curse of 'it just runs, leave it alone'. i
7.1 was a fantastically long lived release and too many simply don't want to
believe that it could possibly be time to upgrade.
If their hardware can't go beyond i 7.1 then they are on some seriously old
stuff, again doesn't mean it doesn't work but wow, that's Power5 vintage up
to 13 years old! Or put another way a disk drive installed in that Power5
machine in 2004 would have rotated over 100,000,000,000 times since then,
yes that's 100 Billion!

I would feel sorry for these folks if they didn't get any warnings or simply
had no alternatives. But they did get warnings, over and over and over and
they DO have alternatives, from newer used gear to newer (FANTASTICALLY
FASTER) and smaller gear or cloud (hint hint!)

Also consider if they are in environments with external communications and
they refuse to update software they are setting themselves up for failure,
not if simply when.

I do agree with you that IBM isn't going to enhance i 7.1. They have already
provided two new releases both easy to upgrade to and they indicated many
months ago that i 7.1 is in fix only mode. As it should be!

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 7/10/2017 9:04 AM, Bradley Stone wrote:

I believe June or July 2017 was a deadline for financial institutions
to update their SSL certificates to the latest and greatest.

3 customers in one week so far have been affected, but only because
they are on V7R1. The only option is to update to V7R2 or higher. 2
out of 3 say they need new hardware to update to a new OS. So not
really "free".

I would be on the lookout if you use GETURI, HTTPAPI, or any other
socket application that uses SSL to communicate with financial
institutions if you're on V7R1 or lower. It will most likely stop
working soon if it hasn't already.

The only other option I can see to do, since IBM won't install the new
ciphers, is possibly ask them to update the SSL Handshake API to allow
you to bypass the RC(-1) No Ciphers error (and others like -24
SSL_ERROR_CERT_EXPIRED which is stupid anyhow) like you can with the
not trusted handshake error.

Wishful thinking. :)


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #6: Easily send group emails with Distribution Lists