This should be using TLS1.2 protocol.
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob Berendt
Sent: Thursday, March 31, 2022 9:03 AM
To: midrange400 midrange400 midrange400 <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Relationship between SSL protocols and cipher specification list.
Let's avoid the irrelevant tangent that SSL is obsolete and TLS is current as the system values use SSL in their names, ok?
As much as I'd like to just use values like *OPSYS for some of these values and stay on the latest and most current I have this one customer who lags behind. We're trying to encourage them so let's avoid the tangents of why I shouldn't be doing this.
This customer is using the cipher *ECDHE_RSA_AES_256_CBC_SHA384 What we have is working, except when we switch over to the H/A machine. So I'm trying to piece together the primary and the backup lpars while still trying to use the most current on both with the exception of providing support for this one customer.
In order to support this cipher what protocol do I need to allow to support it? Will upgrading QSSLPCL from *TLSV1.2, *TLSV1.1, *TLSV1 to *TLSV1.3, *TLSV1.2 work or do I need to add one of the following also: *TLSV1.1, *TLSV1? If so, which one?
I know I have some SST stuff to do, like modifying TLSCONFIG as per
https://www.ibm.com/support/pages/configuring-your-ibm-i-system-secure-sockets-layer-ssltransport-layer-security-tls-protocols-and-cipher-suites
Part of this SST stuff makes me think that I really don't need *TLSV1.1 nor *TLSV1 in QSSLPCL as I show this in TLSCONFIG:
TLS Eligible Default Protocol List . . : TLSv1.3
TLSv1.2 TLS Default Protocol List. . . . . . . : TLSv1.2
TLS Eligible Default Cipher Suites . . : YF,YG,YB,YC,YD,YE,YH,YA,Y8,YI,YJ
AES_128_GCM_SHA256
AES_256_GCM_SHA384
ECDHE_ECDSA_AES_128_GCM_SHA256*
ECDHE_ECDSA_AES_256_GCM_SHA384*
ECDHE_RSA_AES_128_GCM_SHA256*
ECDHE_RSA_AES_256_GCM_SHA384*
CHACHA20_POLY1305_SHA256*
ECDHE_RSA_AES_256_CBC_SHA384*
ECDHE_ECDSA_AES_256_CBC_SHA384*
ECDHE_ECDSA_CHACHA20_POLY1305_SHA256*
ECDHE_RSA_CHACHA20_POLY1305_SHA256*
TLS Default Cipher Suite List. . . . . : ECDHE_ECDSA_AES_128_GCM_SHA256*
ECDHE_ECDSA_AES_256_GCM_SHA384*
ECDHE_RSA_AES_128_GCM_SHA256*
ECDHE_RSA_AES_256_GCM_SHA384*
ECDHE_RSA_AES_256_CBC_SHA384*
ECDHE_ECDSA_AES_256_CBC_SHA384*
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
As an Amazon Associate we earn from qualifying purchases.