1.  Home
  2. MIDRANGE-L
  3. March 2015

Re: Confirming SSLv2 and SSLv3 usage, disabling

On 24-Mar-2015 09:44 -0500, Steinmetz, Paul wrote:
On Tuesday, March 24, 2015 10:35 AM AHoerle wrote:

Yes, you will want to change the QSSLCLS system value. Here's what
I am using now on my 7.1 systems to eliminate SSLv3 and the reduce
the number of allowed Ciphers for my servers:

System value: QSSLCSL
Description: Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_256_CBC_SHA256
20 *RSA_AES_128_CBC_SHA256
30 *RSA_AES_128_CBC_SHA
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA

System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher control
Cipher control . . . . : *USRDFN *OPSYS, *USRDFN

System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*TLSV1
*TLSV1.1
*TLSV1.2


Isn't the QSSLCSL system value maintained by PTFs?

Below are my current system values.

System value: QSSLCSL
Description: Secure sockets layer cipher specification list
Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5

System value . . . . . : QSSLCSLCTL
Description . . . . . : Secure sockets layer cipher control
Cipher control . . . . : *OPSYS *OPSYS, *USRDFN

System value . . . . . : QSSLPCL
Description . . . . . : Secure sockets layer protocols
Protocols
*OPSYS


The /control/ of the value(s) for the System Value QSSLCSL is *either* the OS or the User; while the control is in the domain of the OS, the System Value QSSLCSL is _read-only_. The Secure Sockets Layer Cipher Specification List Control (QSSLCSLCTL) System Value allows overriding the OS-controlled list of "Cipher Suite" values [defined by the Secure Sockets Layer Cipher Specification List (QSSLCSL) System Value] with a User-controlled list [thus making the System Value QSSLCSL change-capable rather than read-only], per the specification of *USRDFN that denotes the /control/ is User-Defined (*USRDFN) instead of System-Defined (*OPSYS).

<http://www.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_71/rzakz/rzakzqsslcslctl.htm>
_Security system values: Secure Sockets Layer cipher control_
"The Secure Sockets Layer cipher control system value is also known as QSSLCSLCTL. You can use this system value to specify whether the system or a user controls the Secure Sockets Layer cipher specification list (QSSLCSL) system value.
...

_Use system-defined_ (*OPSYS)

• The Secure Sockets Layer cipher specification list (QSSLCSL) system value is read-only. Its values are automatically modified to contain the list of cipher suites supported by the System SSL. If you use this option, the QSSLCSL system value is automatically updated with new cipher suite capabilities when you install or upgrade to a future release of the operating system.

_Use user-defined_ (*USRDFN)

• The QSSLCSL system value is editable. If you use this option, additional cipher suite capabilities are not added automatically when you move to a future release of the operating system. You have to determine if any new cipher suites are available and manually add the new cipher suites to the QSSLCSL system value if you want the System SSL to support them. "


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.