Thanks Paul, I will give this a shot and look at the raw trace spool file first. Then I might come back looking for source for SSLLOG
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Thursday, October 22, 2015 8:34 AM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxx>
Subject: RE: Looking for TLS 1.0 connections
Mike,
I use TRCINT *SCKSSL.
See doc
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594
Java related jobs excluded.
TRCINT SET(*ON) TRCTBL('SSL-1700x') SIZE(512 *MB) TRCFULL(*STOPTRC) TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17009)).
TRCINT SET(*OFF) TRCTBL('SSL-1700X') OUTPUT(*PRINT)
I've enhanced the output by creating a PF and loading it from the output of the trace.
SSLVER CIPHER LIP RIP DNSNAM
TLSV1.2 TLS_RSA_WITH_AES_256_CBC_SHA2 10.X.XX.X 10.X.XXX.XX1 psirockatst01.pencor.com
TLSV1.0 TLS_RSA_WITH_AES_128_CBC_SHA 10.X.X.XXX 10.X.XX.XX psisystems02.pencor.com
SSLDAT SSLDAT A 8 1
SSLTIM SSLTIM A 15 9
SSLVER SSLVER A 10 24
CIPHER CIPHER A 30 34
LPORT LPORT A 5 64
LIP LIP A 30 69
RPORT RPORT A 5 99
RIP RIP A 30 104
JOBNAM JOBNAM A 10 134
JOBUSR JOBUSR A 10 144
JOBNUM JOBNUM A 6 154
I could send you the source if interested offline.
CPYSPLF FILE(QPCSMPRT) TOFILE(QGPL/SSLLOG) SPLNBR(*LAST) MBROPT(*REPLACE) CTLCHAR(*PRTCTL).
CLRPFM FILE(QGPL/SSLPF01)
CALL PGM(SSLLOG)
RUNQRY QRY(SSLLOG2)
RUNQRY QRY(SSLLOG3)
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Mike Cunningham
Sent: Wednesday, October 21, 2015 4:40 PM
To: Midrange Systems Technical Discussion
Subject: Looking for TLS 1.0 connections
We are in the planning stages of turning off TLS 1.0 support for FTP and TELNET on our V7.1 system. We did the research on how to turn it off and that part looks straightforward. We already have the old SSL support turned off. What we are concerned about is what client access clients might be running on older PCs (still running XP or Vista) that are currently connecting using TLS 1.0 because they don't support TLS 1.1 or 1.2. I was looking for a way to try and find out if we have that problem to worry about and if we do, how big of a problem it is. I looked into the Telnet exit point data and it can tell me if the connection is secure or non-secure but it does not appear to have what protocol a secure connection is using. (we have unsecure telnet and ftp turned off completely so I know all current connections are at least TLS 1.0). Is anyone aware of any way to find out the exact level of TLS a telnet or ftp session is running under?
Mike Cunningham
Pennsylvania College of Technology
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
midrange.com
