Getting to 7.1 TR6 is a must just for the TLS 1.2 and two additional ciphers but not everyone seems to get that they're manually enabled. I would say 75% of the times I check, TR11 is installed but TLS 1.2 isn't enabled.
The ECC ciphers on 7.2/7.3 is where you need to be, but the four secure ciphers on 7.1 are still deemed "secure."
Steve Pitcher
iTech Solutions
Office: (203) 744-7854 Ext. 176
Mobile: (902) 301-0810
http://www.itechsol.com
http://www.iInTheCloud.com
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Monday, October 16, 2017 3:09 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Interim Options for V7R1 Customers with Bank/CC Transactions
Ok, so I've been running into more and more customers using GETURI that are running into the SSL Ciphers issue with V7R1.
I've spent more time than I like (unbillable of course, unless I should bill IBM for doing their job lol) to admit trying to help them figure out solutions, so I would like to hear what idea others have for interim solutions while hardware/OS is updated.
Most are stuck because their hardware won't run V7R2 or up. And getting new hardware in a week, set up and running is impossible. (It took me over
3 weeks just to renew my SWMA!)
Well, this SSL cipher thing is a little more difficult since it stops them from communicating with bank/credit card as well as other web services that are required for day to day operations. And really the first they hear about it is when the bank/service provider updates their SSL cert and things stop working suddenly.
I have a couple consulting customers that I use my own V7R3 system as a proxy, but it's not something I want to keep doing.
I've suggested to others setting up a PC/*nix proxy internally to bounce the requests from, but I'm finding in those cases the know how is lacking, and I spend more time trying to explain/help them with only days to go before total shutdown.
So, any other ideas? Or is a temporary local proxy really the best/only way. Assume IBM i hardware/OS won't be able to be done for 3 months, but in 2 weeks you have to move live to the new URL using the new SSL certs with ciphers not supported on your OS.
Possibly a temp account at a cloud provider (Larry?) The problem there is the communication would need to be SSL as well since it will have sensitive data.
Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #9 <
https://www.bvstools.com/mailtool.html>: Superior debugging (when using MAILTOOL Plus) - Bypassing the IBM SMTP server means that we can fully debug and track down sometimes hard to find problems.
Even the Trace TCP/IP Application (TRCTCPAPP) command won't be this detailed!
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
http://amzn.to/2dEadiD
midrange.com
