× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Was reviewing V7R3 SSL ciphers..
Found this link that IBM is suggesting weak ciphers should be disabled.

Configuring Your IBM i System Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Protocols and Cipher Suites
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020876

Weak Cipher Suites (as of March 2018):
*RSA_RC4_128_SHA
*RSA_RC4_128_MD5
*RSA_NULL_MD5
*RSA_NULL_SHA
*RSA_NULL_SHA256
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_RC2_CBC_128_MD5
*RSA_DES_CBC_MD5
*RSA_3DES_EDE_CBC_MD5
*RSA_3DES_EDE_CBC_SHA
*ECDHE_ECDSA_NULL_SHA
*ECDHE_ECDSA_RC4_128_SHA
*ECDHE_RSA_NULL_SHA
*ECDHE_RSA_RC4_128_SHA
*ECDHE_RSA_3DES_EDE_CBC_SHA
*ECDHE_ECDSA_3DES_EDE_CBC_SHA

3 of the weak ciphers are part of V7R3 default QSSLCSL - Secure sockets layer cipher specification list
150 *ECDHE_ECDSA_3DES_EDE_CBC_SHA
160 *ECDHE_RSA_3DES_EDE_CBC_SHA
170 *RSA_3DES_EDE_CBC_SHA

Initially, IBM stated that the latest PTFs will disable the weak ciphers.
However, additional follow-up is requiring us to change from default SSL to custom SSL settings to remove these ciphers.

PTFs only disable the cipher suite from being used by default on SSL/TLS connections. PTFs will never physically remove a cipher suite or protocol from your IBM i system value. In order to remove these cipher suites from QSSLCSL, you will need to first set QSSLCSLCTL to *USRDFN. After doing this, you would then remove the cipher suites from the value of QSSLCSL.

Summary.
Back to custom SSL config, similar to what I had on V7R1.

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/






As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.