× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2019

Re: 7.4 ssl issue

Actually, applications can use either GSKit APIs or the system SSL APIs.

But, GSKit is recommended by IBM. IBM seems to be calling the SSL APIs
"legacy" or not updating them any more. I can see them not wanting to
support two different products.

I've only found one case where GSKit is required and that's when client
communicating with a server using a wildcard certificate as they haven't
added SNI support to the system SSL APIs, but have added that support to
GSKit.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #17 <https://www.bvstools.com/mailtool.html>: Compatible
with Google/Gmail/G Suite, Outlook.com, Microsoft Office 365 as well as
most other SMTP servers and relays. No tricks, gimmicks or relays needed.
MAILTOOL is set up just like a PC or mobile device with the appropriate
outgoing mail router information and well as the proper authentication.

On Tue, Sep 17, 2019 at 9:16 AM Charles Wilt <charles.wilt@xxxxxxxxx> wrote:

DCM and "system" SSL are via GSKit...

So ILE programs are GSKit
Java has it's own SSL
PASE (can?) use openssl

Charles

Charles


On Mon, Sep 16, 2019 at 9:52 PM Steinmetz, Paul via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

Rob,

If you're seeing GSKit errors, then your application may not be using DCM
and/or SSL system values.
I believe GSKit is a separate SSL setup.
We don't use GSKit, you may want ask a GSkit expert.

Paul


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Rob
Berendt
Sent: Monday, September 16, 2019 4:56 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx

Subject: 7.4 ssl issue

I have this customer I am having issues using TLS with after we upgraded
to IBM I 7.4.

SSL Labs says they support no 1.3 protocols. They do support these 1.2
protocols:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp521r1 (eq.
15360
bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 (eq. 15360
bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp521r1 (eq.
15360
bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp521r1 (eq. 15360
bits RSA) FS WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112

So I changed system value QSSLPCL to:
*TLSV1.3
*TLSV1.2

I changed QSSLCSLCTL to *USRDFN

I changed QSSLCSL to:
*AES_128_GCM_SHA256
*AES_256_GCM_SHA384
*CHACHA20_POLY1305_SHA256
*ECDHE_ECDSA_AES_128_GCM_SHA256
*ECDHE_ECDSA_AES_256_GCM_SHA384
*ECDHE_RSA_AES_128_GCM_SHA256
*ECDHE_RSA_AES_256_GCM_SHA384
*ECDHE_ECDSA_AES_256_CBC_SHA384
*RSA_3DES_EDE_CBC_SHA
*RSA_AES_128_CBC_SHA

From program . . . . . . . . . : HTTPAPIR4
From library . . . . . . . . : LIBHTTP
From module . . . . . . . . : HTTPUTILR4
From procedure . . . . . . . : HTTP_CRASH
From statement . . . . . . . : 5685
Message . . . . : SSL Handshake: (GSKit) Peer not recognized or badly
formatted message received.



Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To
subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.