1.  Home
  2. MIDRANGE-L
  3. August 2016

RE: (GSKit) No compatible cipher suite available between SSL end points.

Don,

Below are my notes, disabling SSLv2, SSLv3, TLSV1.

IBM has released two PTFs to resolve SSL client issues, MF60335, SI57332

http://www-01.ibm.com/support/docview.wss?uid=nas35a3400efeeb413d086257e7e007eb665
http://www-01.ibm.com/support/docview.wss?uid=nas24e5145dca463e43586257e6f003c6da7

http://www-912.ibm.com/a_dir/as4ptf.nsf/b3cb9d42f672b70f86256739004afa0f/9d8f3c581309ec3886257e7e007eb678?OpenDocument
http://www-01.ibm.com/support/docview.wss?uid=nas22105ec3f6fa1476986257e74003c6ed6

Applied to both Production and R&D LPAR, issue resolved.

Make sure you run the special instructions SST Advanced Analysis SSLCONFIG MACRO. !!!!!!
1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h
-eligibleDefaultProtocols:10,08,04 or as needed.

If your iSeries is a client, get these two PTFs installed ASAP.

Note:!!!!!!
Not only was my SSL client connection issue resolved, but other apps previously connecting at TLSv1 are now connecting at TLSv1.2 or TLSv1.1.
Also, another app previously connecting TLSv1.0 using RC4 weak cipher now connecting at TLSv1.2 with TLS_RSA_WITH_AES_128_CBC_SHA2

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Don Brown
Sent: Thursday, August 18, 2016 1:52 AM
To: Midrange Systems Technical Discussion
Subject: (GSKit) No compatible cipher suite available between SSL end points.

Hi All,

I really thought I could sort this out without help but ...

Would really appreciate any suggestions.

We are on V7R1 and fairly up to date on PTF's

I have updated system value QSSLPCL to have the following values;
*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3

I have updated to HTTPAPI V1.32

A secure gateway we use has advised they are updating their security - they advised ...

• The SSL security certificate version will be upgraded to SHA-256 hashing algorithm • Only Transport Layer 1.1 and 1.2 protocols to be accepted. (any previous versions will not be accepted) • Updates to accepted Ciphers:
AES256-GCM-SHA384:
AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES256-CBC-SHA:
ECDHE-RSA-AES128-SHA256:
ECDHE-RSA-AES128-CBC-SHA

I have exported the Root and intermediate certificates from the site and loaded into DCM successfully

The debug.txt shows the error.

HTTPAPI Ver 1.32 released 2016-02-10
NTLM Ver 1.4.0 released 2014-12-22
OS/400 Ver V7R1M0

http_persist_open(): entered
http_long_ParseURL(): entered
DNS resolver retrans: 2
DNS resolver retry : 2
DNS resolver options: x'00000136'
DNS default domain: MSD.local
DNS server found: 10.1.1.31
DNS server found: 139.130.4.4
Nagle's algorithm (TCP_NODELAY) disabled.
SNI hostname set to: test.securepay.com.au
(GSKit) No compatible cipher suite available between SSL end points.
ssl_error(402): (GSKit) No compatible cipher suite available between SSL end points.
SetError() #30: SSL Handshake: (GSKit) No compatible cipher suite available between SSL end poin

The list of cyphers does not match the knowledge centre reference for 7.1
- I have
*RSA_AES_128_CBC_SHA256
*RSA_AES_128_CBC_SHA
*RSA_RC4_128_SHA
*RSA_RC4_128_MD5
*RSA_AES_256_CBC_SHA256
*RSA_AES_256_CBC_SHA
*RSA_3DES_EDE_CBC_SHA
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_NULL_SHA256
*RSA_NULL_SHA
*RSA_NULL_MD5


Thank you for any assistance

Don Brown

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.