× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Back in 2015, I had an open SSL PMR, IBM created two SSL PTFs for V7R1.
These PTFs allowed changes to the SSL default config via SST, Advanced Analysis, SSLCONFIG.
Brad should remember these, MAILTOOL was broke.

MF60335 - The SSLv3 protocol and RC4 cipher suites should not be used due to the POODLE and Bar Mitzvah vulnerabilities.
SI57332 - Customer is unable to get 3rd party application updated to support the TLSv1.2 protocol. The need exists to make applications coded to use the default protocol use TLSv1.2 at a
system level to get around the 3rd party.

However, I doubt we will see any future V7R1 SSL PTFs of this magnitude.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rob Berendt
Sent: Wednesday, January 03, 2018 8:52 AM
To: Midrange Systems Technical Discussion
Subject: Re: CERT Advisory: #144389 Return of Bleichenbacher's Oracle Threat (ROBOT)

<snip>
The QSSLCSLCTL system value special value *OPSYS allows the operating system to change the cipher suites that are enabled on the system on a release boundary.
</snip>
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzain/rzainciphers.htm

They key words being "on a release boundary". I defy you to find a PTF or APAR containing QSSLCSLCTL or QSSLCSL. In my searches the only hits were on the various Memo To Users.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Bradley Stone <bvstone@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 01/03/2018 08:02 AM
Subject: Re: CERT Advisory: #144389 Return of Bleichenbacher's
Oracle Threat (ROBOT)
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I think some of us are interested in a PTF since we use *OPSYS for
QSSLCSLCTL system value:

*OPSYS The QSSLCSL (SSL cipher specification list)
system value is read only. The values
contained in the QSSLCSL (SSL cipher
specification list) system value are
automatically modified to contain the list of
supported cipher suites as determined by the
operating system release.

Bradley V. Stone
www.bvstools.com
GreenTools for Microsoft Apps <https://www.bvstools.com/g4ms.html>: Easy
to
use interfaces for sending and receiving Email as well as OneDrive!

On Wed, Jan 3, 2018 at 6:23 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

The question becomes: Is it a PTF issue or is it resolved by
eliminating
the use of certain ciphers?
As shown by Domino it was resolved by no longer using certain ciphers.
Or, are you hoping that IBM patches certain existing ciphers?


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 01/02/2018 08:35 PM
Subject: RE: CERT Advisory: #144389 Return of Bleichenbacher's
Oracle Threat (ROBOT)
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



SI66509 is orderable and downloads if ordered individually, but not it
ordered via SF99711.
I compared the CVEs mentioned in the PTF, they do not coincide to the
CVE
mentioned in Advisory 144389.
I'm concluding at this time that PTFs have NOT yet been released for
144389.

Does everyone agree?

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jack Woehr
Sent: Tuesday, January 02, 2018 6:32 PM
To: Midrange Systems Technical Discussion
Subject: Re: CERT Advisory: #144389 Return of Bleichenbacher's Oracle
Threat (ROBOT)

SI66509

On Tue, Jan 2, 2018 at 4:24 PM, Jack Woehr
<jwoehr@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote:

This page was updated today:

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki
/ W1c12c273752d_4cb8_b000_8375ec43426d/page/5733-SC1%
20PTFs/comment/837d5a85-7bc7-426c-a8da-d516a7f07e82

On Tue, Jan 2, 2018 at 3:37 PM, Bradley Stone <bvstone@xxxxxxxxx>
wrote:

I just installed the latest CUM a couple days ago for V7R3 and still
see the Cipher list including the RSA ciphers.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #16 <https://www.bvstools.com/mailtool.html>: No
external "helper" PC system required. 100% IBM i native!

On Tue, Jan 2, 2018 at 4:34 PM, Steinmetz, Paul
<PSteinmetz@xxxxxxxxxx>
wrote:

Has IBM released any V7R1, V7R2, V7R3 PTFs to correct this issue,
I'm
not
finding any?



https://www.csa.gov.sg/singcert/news/advisories-
alerts/alert-on-the-return-of-bleichenbacher-oracle-threat-robot-at
tack



Impact

An attacker may be able to derive the TLS session key and fully
decrypt the TLS traffic to access any sensitive information that is
transmitted, such as login credentials and credit card numbers.



Recommendations

System administrators will need to patch their systems if their TLS
are implemented using RSA ciphers by the affected
vendors/implementations.
Visit https://robotattack.org for more information on the
respective vendor's patches.

If patches are not available, consider disabling TLS RSA cipher
suites,
if
possible, with the help of the product's documentation or seek
assistance
from the vendor.



Disabling RSA ciphers on a V7R1 system will basically break SSL,
since
V7R1 only supports RSA ciphers.

Would need to upgrade to V7R2 or V7R3 for the newer ciphers.



For those running SSL on V7R1, is this the end?



Paul







-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of JWGrant@xxxxxxxxxxxxxxx
Sent: Tuesday, January 02, 2018 4:49 PM
To: Midrange Systems Technical Discussion
Subject: Re: CERT Advisory: #144389 Return of Bleichenbacher's
Oracle Threat (ROBOT)



Hi Rob:



We updated the cipher specs (via the notes.ini) and now pass the
test
for
Bleichenbacher's Oracle Threat (ROBOT) for both traveler and domino



SSLCipherSpec=C030009FC02F009EC028006BC0270067





This fixes domino but now we have to handle the IBMi apache servers
as well.



Jim



Jim W Grant

Senior VP, Chief Information Officer

Web: www.pdpgroupinc.com<http://www.pdpgroupinc.com>









From: "Rob Berendt" <rob@xxxxxxxxx<mailto:rob@xxxxxxxxx>>

To: "Midrange Systems Technical Discussion" <
midrange-l@xxxxxxxxxxxx<
mailto:midrange-l@xxxxxxxxxxxx>>

Date: 01/02/2018 03:06 PM

Subject: Re: CERT Advisory: #144389 Return of

Bleichenbacher's Oracle Threat (ROBOT)

Sent by: "MIDRANGE-L"
<midrange-l-bounces@xxxxxxxxxxxx<mailto:
midrange-l-bounces@xxxxxxxxxxxx>>







Previous audits have blacklisted some

SSLCipherSpec=C030009FC02F009EC028006BC0270067

# Security audit black list:

# RSA_WITH_AES_256_GCM_SHA384 (009D)

# RSA_WITH_AES_128_GCM_SHA256 (009C)

# RSA_WITH_AES_256_CBC_SHA256 (003D)

# RSA_WITH_AES_256_CBC_SHA (0035)

# RSA_WITH_AES_128_CBC_SHA256 (003C)

# RSA_WITH_AES_128_CBC_SHA (002F)

# RSA_WITH_3DES_EDE_CBC_SHA (000A)

# RSA_WITH_RC4_128_SHA (0005)

# ECDHE_RSA_WITH_AES_256_CBC_SHA (C014) #
DHE_RSA_WITH_AES_256_CBC_SHA
(0039) # ECDHE_RSA_WITH_AES_128_CBC_SHA (C013)
https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configura
tion





Rob Berendt

--

IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept
1600
Mail
to: 2505 Dekko Drive

Garrett, IN 46738

Ship to: Dock 108

6928N 400E

Kendallville, IN 46755

http://www.dekko.com



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list
options,

visit: https://lists.midrange.com/mailman/listinfo/midrange-l

or email:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@
midrange.com> Before posting, please take a moment to review the
archives
at https://archive.midrange.com/midrange-l.



Please contact support@xxxxxxxxxxxx<mailto:support@xxxxxxxxxxxx>
for
any
subscription related questions.



Help support midrange.com by shopping at amazon.com with our
affiliate

link: http://amzn.to/2dEadiD







--

This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:
MIDRANGE-L@xxxxxxxxxxxx>

To subscribe, unsubscribe, or change list options,

visit: https://lists.midrange.com/mailman/listinfo/midrange-l

or email:
MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@
midrange.com>

Before posting, please take a moment to review the archives

at https://archive.midrange.com/midrange-l.



Please contact support@xxxxxxxxxxxx<mailto:support@xxxxxxxxxxxx>
for
any
subscription related questions.



Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD




--
Absolute Performance, Inc.
12303 Airport Way, Suite 100
Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all
attachments is for the intended recipient(s) only and may contain
confidential and privileged information. If you are not the intended
recipient of this communication, any disclosure, copying further
distribution or use of this communication is prohibited. If you
received this communication in error, please contact the sender and
delete/destroy all copies of this communication immediately.




--
Absolute Performance, Inc.
12303 Airport Way, Suite 100
Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all
attachments is for the intended recipient(s) only and may contain
confidential and privileged information. If you are not the intended
recipient of this communication, any disclosure, copying further
distribution or use of this communication is prohibited. If you
received
this communication in error, please contact the sender and
delete/destroy
all copies of this communication immediately.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at https://archive.midrange.com/midrange-l
.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.