IBM is stating that TLS 1.2 cipher RSA_AES_128_GCM_SHA256 is safe and secure, can be used.
According to site ciphersuite.info it is weak, should be removed.
https://ciphersuite.info/search/?q=RSA_AES_128_GCM_SHA256
One of our main apps uses this cipher.
Our IT folks are asking I remove it, IBM states its ok.
How does one deal with conflicting statements regarding ciphers?
Paul
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob Berendt
Sent: Friday, January 21, 2022 4:04 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: SSL connection issues, cipher questions
Any chance your traces did not cover the time when this connection would have been made?
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.dekko.com&umid=aca71252-4467-433c-9232-52b357e2b634&auth=438b0784514c1757bd202125ca4db8b0abdb021e-ea50916fdc5daefdf70bcae2e06f4f9669226421
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Steinmetz, Paul via MIDRANGE-L
Sent: Friday, January 21, 2022 3:20 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: SSL connection issues, cipher questions
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Our Network folks made SSL changes to a firewall.
PCI standards recommend using TLS 1.2 or higher. Per PCI DSS compliance and results from previous penetration test, it is recommended to disable TLS v1.1 due to deprecation and enable v1.3. Weak ciphers for TLS v1.2 were discovered during the penetration test and will be removed.
Below weak ciphers were removed, confirmed from*SCKSSL trace none of these are being used..
ECDHE_ECDSA_AES256_GCM_SHA384
ECDHE_ECDSA_AES128_GCM_SHA256
ECDHE_ECDSA_AES256_SHA384
ECDHE_ECDSA_AES128_SHA256
ECDHE_RSA_AES128_SHA256
AES256_GCM_SHA384
AES128_GCM_SHA256
AES256_SHA384
AESS128_SHA256
ECDHE_ECDSA_AES256_SHA
ECDHE_RSA_AES256_SHA
ECDHE_ECDSA_DES_CBC3_SHA
ECDHE_RSA_DES_CBC3_SHA
ECDHE_ECDSA_AES128_SHA
ECDHE_RSA_AES128_SHA
AES256_SHA
DHE_RSA_AES256_SHA256
DHE_RSA_AES256_SHA
DHE_RSA_CAMELLIA256_SHA256
DHE_RSA_AES128_SHA256
DHE_RSA_AES128_SHA
DHE_RSA_CAMELLIA128_SHA
EDH_RSA_DES_CBC3_SHA
CAMELLIA256_SHA
DES_CBC3_SHA
AES128_SHA
CAMELLIA128_SHA
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
An application not using any of these ciphers would no longer would connect.
Below is the output from an *SCKSSL trace, showing the protocol and cipher used.
TLSV1.2 ECDHE_RSA_WITH_AES_256_GCM_SHA384 10.5.23.5 10.5.206.26
Any ideas on why this application failed. Based on the traces, it still should have worked.
V7R3 latest CUME and most groups
Thank You
_____
Paul Steinmetz
IBM I Power9 Administrator
Pencor Digital Services
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 Work
610-826-9188 Fax
610-349-0913 Cell
610-377-6012 Home
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
midrange.com
