× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. December 2020

Re: TLS 1.2 cypher suites on 7.4 with HTTP API

Brad,

It appears to be strictly a cypher issue, HTTP API reports
2020-11-30-18.33.37.597000: (GSKit) No compatible cipher suite available
between TLS end points.
2020-11-30-18.33.37.597000: ssl_error(402): (GSKit) No compatible cipher
suite available between TLS end points.
2020-11-30-18.33.37.597000: SetError() #30: SSL Handshake: (GSKit) No
compatible cipher suite available between TLS end point

In contrast to the cypher list supported by the server in question (as
reported on the first post)
An SSL check on mail.google.com shows:
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH x25519 (eq. 3072
bits RSA) FS 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) ECDH x25519 (eq.
3072 bits RSA) FS 256P
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH x25519 (eq. 3072
bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH x25519 (eq. 3072 bits
RSA) FS WEAK 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH x25519 (eq. 3072 bits
RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits
RSA) FS 128
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH x25519 (eq.
3072 bits RSA) FS 256P
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits
RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits
RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits
RSA) FS WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112

The what's new for 7.4 indicates
"The System TLS enabled cipher specification list no longer contains Triple
Des (3DES), Cipher Block Chaining (CBC), or RSA key exchange ciphers when
the QSSLCSLCTL system value is *OPSYS."

So I guess that's why the "*AES_256_GCM_SHA384" doesn't support
"TLS_RSA_WITH_AES_256_GCM_SHA384"
anymore.

I think we need to enable..
*RSA_AES_256_GCM_SHA384

But I'm hoping somebody with more expertise can confirm that's the best
choice..

Charles


On Fri, Dec 11, 2020 at 12:32 PM Brad Stone <bvstone@xxxxxxxxx> wrote:

Charles,

I've seen cases where if a server has an obsolete cipher in their list,
even if all others match between the two systems the IBM i will still throw
an error for some reason. I've had to manually add ciphers in for certain
projects because of that... kinda stinks.

Then again, I've also seen clients error out if there is a single expired
CA or cert in the certificate store.. even if it's not used by the
application as well. *shrug*

On Fri, Dec 11, 2020 at 12:25 PM Charles Wilt <charles.wilt@xxxxxxxxx>
wrote:

All,

Trying to figure out what (older?) cypher we need to turn on our 7.4 box.

Here's what's supported at the server (according to
https://www.ssllabs.com/ssltest)

Cipher Suites
# TLS 1.2 (server has no preference)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256

Currently enabled via *OPSYS is showing
*AES_128_GCM_SHA256
*AES_256_GCM_SHA384
*CHACHA20_POLY1305_SHA256
*ECDHE_ECDSA_AES_128_GCM_SHA256
*ECDHE_ECDSA_AES_256_GCM_SHA384
*ECDHE_RSA_AES_128_GCM_SHA256
*ECDHE_RSA_AES_256_GCM_SHA384
*ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
*ECDHE_RSA_CHACHA20_POLY1305_SHA256

I would have thought that the remote server's
TLS_RSA_WITH_AES_256_GCM_SHA384 would have match the IBM's
*AES_256_GCM_SHA384 but apparently not?

Thanks!
Charles
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.