I dug more into the issue. It was actually an application I have set up
for a customer to use my V7R3 server and an SSL proxy.

Request comes to my system from the CC portal site, I forward the respnse
back to my customer. It's because they are on V7R1 (updating in a couple
months) and the CC company won't deal with TLS 1.0 and old ciphers.

So, it wasn't the CC server that had the issue (which I first thought), it
was communicating with the old server that uses TLS 1.0. Once I removed
the ciphers, there was no possible negotiation and it failed. I verified
this with www.ssllabs.com and my customer's URL that I'm making a request
back to.

Changing QSSLCSLCTL back to *OPSYS restored all the ciphers and things
worked with a retry.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #13 <https://www.bvstools.com/mailtool.html>: The ability
to use an IFS stream file as the body of the email (either text or html).

On Mon, Jan 29, 2018 at 4:23 PM, Charles Wilt <charles.wilt@xxxxxxxxx>
wrote:

I've used https://ssldecoder.org

To see what a site supports...

Charles

On Mon, Jan 29, 2018 at 2:34 PM, Rob Berendt <rob@xxxxxxxxx> wrote:

In general I'm still a babe in the woods when it comes to SSL.
Is there some way to query their site to see what ciphers they support?
Do you need to update the key you exchange with them to a cipher in the
new list?


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Bradley Stone <bvstone@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 01/29/2018 03:47 PM
Subject: Re: PTF MF64534 for ROBOT TLS Vulnerability...
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



And now I can also verify that changing it is a BAD idea as well.

The minute I did some of the SSL client requests to cc payment portals
started failing. They must be using these "bad" ciphers.

I'm sure I should have known that would have happened as well. Just
putting this out there for those that may think about changing it.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #22 <https://www.bvstools.com/mailtool.html>: Cost
starting at under $300 a year per partition!

On Mon, Jan 29, 2018 at 2:12 PM, Bradley Stone <bvstone@xxxxxxxxx>
wrote:

Cool! I missed that memo/doc. I love you dude, errr... Rob! :)
*HUGS*

Bradley V. Stone
www.bvstools.com
GreenTools for G Suite/Google Apps <https://www.bvstools.com/g4g.html
:
Easy to use interfaces for GMail, Google Drive, Calendar, Contacts and
Cloud Print! <\body> <\html>

On Mon, Jan 29, 2018 at 1:12 PM, Rob Berendt <rob@xxxxxxxxx> wrote:

Um, dude, you are on V7R3 now. I don't think you need to mess with
STRSST
values to do WRKSYSVAL QSSLCSL*.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Bradley Stone <bvstone@xxxxxxxxx>
To: Midrange Systems Technical Discussion <
midrange-l@xxxxxxxxxxxx>
Date: 01/29/2018 02:00 PM
Subject: Re: PTF MF64534 for ROBOT TLS Vulnerability...
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Ah, no biggie. Rob already seems to have confirmed that I'll still
need
to
use SSLCONFIG if I want to disable the ciphers.

Although, as I asked in my original email, I don't see how you're
going
to
fit all this on the 2 lines they give you i fI choose to go that
route:

-eligibleDefaultCipherSuites
ECDHE_ECDSA_AES_128_GCM_SHA256,ECDHE_ECDSA_AES_256_GCM_SHA384,
RSA_AES_128_GCM_SHA256,RSA_AES_256_GCM_SHA384,RSA_AES_128_CBC_SHA256,
RSA_AES_128_CBC_SHA,RSA_AES_256_CBC_SHA256

Bradley V. Stone
www.bvstools.com
GreenTools for PayPal <https://www.bvstools.com/g4pp.html>: Easily
send
PayPal invoices from your IBM i applications using RPG ILE! Process
refunds, get account balances and more!

On Mon, Jan 29, 2018 at 12:55 PM, DrFranken <midrange@xxxxxxxxxxxx>
wrote:

Chances are when you did the apply most likely as part of either
option
8
or INSPTF you chose delayed. The PTF didn't require it but now it's
set
for
IPL apply.

I think you can RMVPTF to reset the flag and then APYPTF with
delayed
NO.
But I haven't done that in a while....


- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 1/29/2018 1:28 PM, Bradley Stone wrote:

PTF IPL
Opt ID Status Action
MF64534 Not applied Yes
<-------------

I was just looking at this.

And this:

Message . . . . : PTF 5770999-MF64534 V7R3M0 not applied.



Cause . . . . . : Licensed Internal Code fix 5770999-MF64534
V7R3M0
has
an
initial program load (IPL) action set.

Recovery . . . : Use the Display PTF (DSPPTF) command to
determine
the
IPL
action. Reset the IPL action before you try to apply the PTF
again.



I didn't see any pre/co requisite PTFs listed.

Bradley V. Stone
www.bvstools.com
GreenTools for Microsoft Apps <https://www.bvstools.com/g4ms.html
:
Easy
to
use interfaces for sending and receiving Email as well as OneDrive!

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.