I opened a PMR with IBM.

Learned that each IBM application also needs to have its SSL default settings changed.



Enable Telnet and Host servers

http://www-01.ibm.com/support/docview.wss?uid=nas8N1019971

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020017



At V7R1, all IBM apps use default, this can be seen via DCM, update Application Definition.

One example, Application ID: QIBM_QTV_TELNET_SERVER, has the below default settings, which are all set to *PGM (not sure what V7R1 *PGM is at this point, looking for this documentation, anyone have this).

Each app needs to be changed from *PGM and customized for the desired SSL needed.

Each app needs to be recycled for the SSL changes to take effect, which is different than changing the i5/OS system values QSSL*.

At V7R2, *PGM has different defaults, may not need as many changes, if any.


Update Application Definition
Application type: Server

Application ID: QIBM_QTV_TELNET_SERVER

Application description: IBM i TCP/IP Telnet Server

Certificate Assigned: PENCOR0115WCSHA256

Information that can be updated:
SSL protocols


*PGM


Define protocols supported:



TLS 1.2

TLS 1.1

TLS 1.0

SSL 3.0

SSL 2.0


SSL cipher specification options


*PGM


Define cipher specification list:

Order



RSA_AES_128_CBC_SHA256






RSA_AES_128_CBC_SHA



RSA_AES_256_CBC_SHA256



RSA_AES_256_CBC_SHA



RSA_3DES_EDE_CBC_SHA



RSA_RC4_128_SHA



RSA_RC4_128_MD5



RSA_DES_CBC_SHA



RSA_EXPORT_RC2_CBC_40_MD5



RSA_EXPORT_RC4_40_MD5



RSA_NULL_SHA256



RSA_NULL_SHA



RSA_NULL_MD5



RSA_RC2_CBC_128_MD5



RSA_3DES_EDE_CBC_MD5



RSA_DES_CBC_MD5




Extended renegotiation critical mode processing:

*PGM Enable Disable

Server Name Indication (SNI):


Special indicators:


(The following information applies when client authentication is enabled)
Client authentication required:

Yes No

Define the CA trust list:

Yes No

Certificate Revocation List (CRL) checking:

Yes No


Online Certificate Status Protocol (OCSP) attributes:



OCSP URL: *PGM Disable Define URL value

URL value:

OCSP Authority Information Access (AIA) processing: *PGM Enable Disable


SSL signature algorithms


*PGM


Define signature algorithms supported:

Order



RSA_SHA512




RSA_SHA384



RSA_SHA256



RSA_SHA224



RSA_SHA1



RSA_MD5








Paul



-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of JWGrant@xxxxxxxxxxxxxxx
Sent: Tuesday, June 02, 2015 12:52 PM
To: Midrange Systems Technical Discussion
Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2



We have been working on this issue with our LPAR's for several weeks now.



As you discovered you need to be careful just changing the system values to limit to TLS V1.1 and higer as you will break secure Telnet.



You can through a combination of system values set the ciphers supported to values that support the lower secure TLSv1 for telnet but then overide to only support higher secure protocls for web servers through the use of Apache directives (don't attempt to override the SSL PROTOCOL in DCM for apache web servers as it does not work, these must be done in the apache directives)



However, you also then need to evaluate the browsers. Modern browser like safari, chrome, firefox (at current levels have no issues) but Internet Exploxer can be problematic. IE8, IE9 can support TLS but not right out of the box (windows patches are required). IE10 out of the box supports TLS 1.2 but is not enabled by default, you need to turn on ssl 1.2 in the settings.



If you are on IBMi V7R1 TR6 or higher you should be okay.



Jim



Jim W Grant

Web: www.pdpgroupinc.com<http://www.pdpgroupinc.com>









From: Phil McCullough <Phil.McCullough@xxxxxxxx<mailto:Phil.McCullough@xxxxxxxx>>

To: "'Midrange Systems Technical Discussion'"

<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>

Date: 06/02/2015 11:35 AM

Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1

and TLSV1.2

Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>







Hey,

Can you help me with some Microsoft licensing questions?

Thanks

Phil



-----Original Message-----

From: Matt Olson [mailto:Matt.Olson@xxxxxxxx]

Sent: Tuesday, June 02, 2015 8:58 AM

To: Midrange Systems Technical Discussion

Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and

TLSV1.2



If you follow this guide you will be golden with TLS and a bunch more

important security items:



Linux flavors:



https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/



Windows:



https://scotthelme.co.uk/getting-an-a-on-the-qualys-ssl-test-windows-edition/





More info on windows:



http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html









-----Original Message-----

From: Steinmetz, Paul [mailto:PSteinmetz@xxxxxxxxxx]

Sent: Tuesday, June 02, 2015 8:36 AM

To: 'Midrange Systems Technical Discussion'

Subject: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2



To all,



I was just informed that *TLSV1 no longer passes PCI compliancy and must

be also be disabled.

Every one of my SSL connections is TLSV1.

Has anyone disabled TLSV1, only left TLSV1.1 and TLSV1.2 enabled?



Our IT staff informed me that most of our remote servers and applications

may need a combination of OS upgrades, application upgrades, and/or

application default changes.



I disabled TLSV1 on my playground LPAR, my PC would no longer connect SSL

via client access.



This is looking very ugly.



I'm looking for some good SSL links for various OS (i5OS, Windows, CentOS)

and application links also.



Thank You

_____

Paul Steinmetz

IBM i Systems Administrator



Pencor Services, Inc.

462 Delaware Ave

Palmerton Pa 18071



610-826-9117 work

610-826-9188 fax

610-349-0913 cell

610-377-6012 home



psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx%3cmailto:psteinmetz@xxxxxxxxxx>>

http://www.pencor.com/





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a

moment to review the archives at http://archive.midrange.com/midrange-l.





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a

moment to review the archives at http://archive.midrange.com/midrange-l.





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.







--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.