Re: 5250 SSL issue after latest PTF -- MIDRANGE-L

I understand. What I meant is that a PTF enabling TLSv1.3 shouldn't
interfere with anything. They should gracefully negotiate down to what they
do handle. As always not everything works as expected...
In any case it is good to know of these problems so as to avoid them (I do
have a customer that just enabled TLSv1.2 and I mentioned that as soons he
installs the latest PTF he could enable 1.3 as well, so I will warn them to
test before keeping 1.3 enabled).
Thanks

On Thu, Jul 30, 2020 at 2:32 PM Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
wrote:

Roberto,

The fix is removing TLSv1.3 as the default, TLSv1.2 will now be the
default. Some hardware/software in the equation is not handling TLSv1.3.

This worked for us.

Paul

*From:* Roberto José Etcheverry Romero <yggdrasil.raiker@xxxxxxxxx>
*Sent:* Thursday, July 30, 2020 12:11 PM
*To:* Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx

*Cc:* Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
*Subject:* Re: 5250 SSL issue after latest PTF

------------------------------

CAUTION: This email originated from outside of the PENCOR network. Do not
click on any links or open attachments unless the sender is known, and the
content is verified as safe.
------------------------------

Paul,

If the fix is only adding protocols and ciphers, why would it be a
problem? AFAIK most if not all programs do a handshake and compare
compatible protocols/ciphers until they figure out what to use.

Roberto

On Thu, Jul 30, 2020 at 12:54 PM Steinmetz, Paul via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx> wrote:

I had other SSL issues related to latest PTFs.

TLSv1.3 enabled by default with latest PTFs.
Disable TLSv1.3

QSSLCSLCTL will be changed from *OPSYS to *USRDFN

QSSLPCL will be changed from *OPSYS to

:*TLSV1.2
*TLSV1.1
*TLSV1

TLSV1.3 ciphers also have to be removed from QSSLCSL
*AES_128_GCM_SHA256
*AES_256_GCM_SHA384
*CHACHA20_POLY1305_SHA256
*ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
*ECDHE_RSA_CHACHA20_POLY1305_SHA256

Paul

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
kannan r
Sent: Thursday, July 30, 2020 11:48 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: 5250 SSL issue after latest PTF

________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not
click on any links or open attachments unless the sender is known, and the
content is verified as safe.
________________________________

Hi,

IBM I Access 5250 is not working after the latest PTF. Its throwing SSL
error "CWBCO1034 - SSL error, function returned 25202" when connecting via
port 992.
Normal port 23 is working fine. And via 992 port in ACS is working fine.

Any suggestions.

Thanks,
Kannan.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com