|
On Oct 27, 2020, at 3:19 PM, Steinmetz, Paul via WEB400 <web400@xxxxxxxxxxxxxxxxxx> wrote:
Brad,
I'm not sure of all the under lying changes, but I had a few issues, most was working at TLSv1.3 or TLSv1.2.
Here is the link.
https://www.ibm.com/support/pages/ibm-i-73-system-tls-support-transport-layer-security-version-13-tlsv13
Paul
-----Original Message-----
From: WEB400 <web400-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Brad Stone
Sent: Tuesday, October 27, 2020 3:11 PM
To: Web Enabling the IBM i (AS/400 and iSeries) <web400@xxxxxxxxxxxxxxxxxx>
Subject: Re: [WEB400] SSL API Issues after latest CUM PTFs on V7R3
But shouldn't the system, when connecting to another server, see that they are using 1.2 and use that? Or does the latest CUM turn off anything except 1.3?
It's similar to another issue I had with a client. They were getting an error connecting to a server. We got a list of all the ciphers the server had available and we had most of them matched on the IBM i, minus a few older ciphers. But we still had to enable a couple older ciphers manually to make it work.
You'd think with a choice of 10 or more that match the system could chose to use one of those instead of the old outdated cipher the server had (which was there mainly for older systems).
On Tue, Oct 27, 2020 at 12:36 PM Steinmetz, Paul via WEB400 < web400@xxxxxxxxxxxxxxxxxx> wrote:
Brad,--
I had to do the same.
IBM has a tech doc on this.
It actually disables TLSV1.3, which Is the new default with the latest
CUME PTFs.
Not all our network devices support TLSV1.3, thus had to revert to
previous settings.
*TLSV1.2
*TLSV1.1
*TLSV1
TLSv1.3 could a simple change for some, but for us it will a while.
Paul
-----Original Message-----
From: WEB400 <web400-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Brad
Stone
Sent: Tuesday, October 27, 2020 1:31 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
<web400@xxxxxxxxxxxxxxxxxx
Subject: Re: [WEB400] SSL API Issues after latest CUM PTFs on V7R3
________________________________
CAUTION: This email originated from outside of the PENCOR network. Do
not click on any links or open attachments unless the sender is known,
and the content is verified as safe.
________________________________
Well, my client had a call with IBM.
IBM had them change the system value QSSLPCL from *OPSYS to a list:
*TLSV1.2
*TLSV1.1
*TLSV1
And that seemed to fix their specific issue. Doesn't make sense
(well, it does). I have a feeling their trading partner was using
older version of TLS. That should have been easy to tell. Seems like a bandaid fix.
On Tue, Oct 6, 2020 at 10:09 AM Gerald Magnuson <
gmagqcy.midrange@xxxxxxxxx>
wrote:
Sorry, I should clarify , we use HTTPAPI here.have
On Tue, Oct 6, 2020 at 9:40 AM Brad Stone <bvstone@xxxxxxxxx> wrote:
I'd sure love to be able to test it, though. Then I could figureI
out if
needed to just retry the handshake, or if I need to totallyeither
restart the connection. But the trace from the customer did show
that the SSL handshake wasn't working properly...
On Tue, Oct 6, 2020 at 9:20 AM Charles Wilt
<charles.wilt@xxxxxxxxx>
wrote:
I'd agree that there should be a number of retries.
Charles
On Tue, Oct 6, 2020 at 7:05 AM Brad Stone <bvstone@xxxxxxxxx> wrote:
Thanks for following up. I haven't heard from my customers
yet
wrote:issue(which I normally take as a good thing).
I wonder if in our applications if a handshake fails we should
have a default number of retries. The only issue is I can't
recreate the
on
my end to test with.gmagqcy.midrange@xxxxxxxxx
On Tue, Oct 6, 2020 at 7:59 AM Gerald Magnuson <
wrote:
The PTF (MF67570) didn't fix it.
On Mon, Oct 5, 2020 at 1:48 PM Brad Stone
<bvstone@xxxxxxxxx>
the
Keep up updated on your issues and if the PTF IBM suggest
solves
recognized...issue.
gmagqcy.midrange@xxxxxxxxx
On Mon, Oct 5, 2020 at 1:43 PM Gerald Magnuson <
wrote:
Also, not only are we getting the TLSv1.2 Peer not
errors
when connecting to our internal servers (HAProxy), were
notVANsbeen
getting that -16 error when we try to connect to one of
our
weAfter(COVISINT).gmagqcy.midrange@xxxxxxxxx
On Mon, Oct 5, 2020 at 1:22 PM Gerald Magnuson <
wrote:
We have had these errors since we went to 7.4 on Labor Day.
changing ciphers and putting on all the latest PTF
groups,
now
have
this very strange symptom: these errors "(GSKit) Peer
work...lol.betweenrecognized
or
badly formatted message received." are only happening
days...thelet's
frame).hours
of 6am through 10am (we may get 1 or 2 outside of this
time
I have just installed that ptf (MF67593 - 7.4
MF67570), so
see
what
tomorrow brings.
On Thu, Oct 1, 2020 at 4:07 PM Brad Stone
<bvstone@xxxxxxxxx
SERVERwrote:
Info from IBM that a customer got:
-APAR MA48442 (“OSP-OTHER-UNPRED SYSTEM TLS FAILS
TLSV1.2
HELLO(hopefully)
WITHOUT EXTENSION DATA LENGTH”) -Update a few PTF
Groups to current levels -Apply PTF MF67593, which
isn’t in any PTF Group.
So it does seem to be an IBM issue that has already
been
fixed. I will know for sure after the weekend.
I tried searching for PTFs but that seems futile
these
unless
I'm
just not understanding how their newer searches
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3bvstone@xxxxxxxxx
On Thu, Oct 1, 2020 at 10:07 AM Brad Stone <
am
wonderingwrote:
Hi, Jeff.
I haven't seen any issues with Google, no. I just
am
if
it's
an
issue with only certain endpoints. It's hard to
tell. I
issueuploadinghoping
to
jlcrosby@xxxxxxxxxxxxxxxxhear
from one customer to see what IBM tells them.
On Thu, Oct 1, 2020 at 9:36 AM Jeff Crosby <
wrote:
Is this 7.3? Would this possibly affect my using
G4G
bvstone@xxxxxxxxx>tomorrowPDFs?
Asking because I'm set to IPL and apply some PTF
groups
night.
Thanks.
On Thu, Oct 1, 2020 at 10:23 AM Brad Stone <
wrote:
I have a few customers that seem to be reporting
an
GETURIwith
the
IBM
SSL
APIs after applying a recent PTF group when
using
errorservice.(HTTPAPI
also
reports the same issues) communicating with a
web
Also from tests using cURL and PHP on the IBM i
the
etc.cannot
be
reproduced, neither can it on the PC using
Postman,
if Ireceived.
Randomly they are receiving the error:
415 - Peer not recognized or badly formatted
message
If the standard SSL APIs are used RC is normally
-16
andrecall.
One customer was able to work with a trading
partner
bytes,theyproxy
sessioncommunicationsdid a
trace
on their end and tracked it down to the "Hello"
serverfrom
the
IBM
i during SSL negotiation.
What they saw and explained was something like this:
"...When everything is working fine we have
noticed the
hellos
are
super small …376 bytes which is an indication of
TLS
reuse.
Then
there is an attempt to do TLS reuse with a
different
orillegal
backend
server and it fails which is likely this TLS
FATAL
parameter
error. The NEXT server hello is much larger,
3586
hello'sbecause
the
TLS
session is trashed and has to start over.
It then works for a while with the little server
"trashed".anddoing
session
reuse ... until a proxy or backend server gets
switched
it
correlateblows
up
and
starts all over..."
So, when this error is reported on the IBM i
seems to
with
what
they see on their end where the TLS session is
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=httworked
My suspicion is that a recent PTF broke this,
since it
findfor
years
previously and after the PTFs this behavior started.
I have the customer contacting IBM to see when
they can
withGmail,
experiencingall
this
information, but I am just curious if anyone
else is
this
issue and what they have found.
Thanks.
Bradley V. Stone www.bvstools.com Native IBM i
e-Mail solutions for Microsoft Office 365,
or
(WEB400)any
Cloud
Provider!
--
This is the Web Enabling the IBM i (AS/400 and
iSeries)
mailing
list
To post a message email:
WEB400@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
ps
%3a%2f%2flists.midrange.com%2fmailman%2flistinfo%2fweb400&umid=409
ed
4e2-5fbd-4952-a9cd-3b8d52fa117c&auth=438b0784514c1757bd202125ca4db
8b 0abdb021e-5c676734ab576f4bd88a6271e6b0063776ba166d
archivesor email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review
the
at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=httpsopinion
--
Jeff Crosby
VP Information Systems UniPro FoodService/Dilgard
P.O. Box 13369 Ft. Wayne, IN 46868-3369
260-422-7531
direct.dilgardfoods.com
The opinions expressed are my own and not
necessarily the
(WEB400)of
my
company. Unless I say so.
--
This is the Web Enabling the IBM i (AS/400 and
iSeries)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
%3
a%2f%2flists.midrange.com%2fmailman%2flistinfo%2fweb400&umid=409ed4e
2-
5fbd-4952-a9cd-3b8d52fa117c&auth=438b0784514c1757bd202125ca4db8b0abd
b0 21e-5c676734ab576f4bd88a6271e6b0063776ba166d
archivesor email: WEB400-request@xxxxxxxxxxxxxxxxxx Before
posting, please take a moment to review the
at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3(WEB400)--
This is the Web Enabling the IBM i (AS/400 and
iSeries)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/
qu
ery?url=https%3a%2f%2flists.midrange.com%2fmailman%2f
li
stinfo%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d52fa
11
7c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-5c67
67 34ab576f4bd88a6271e6b0063776ba166d
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before
posting, please take a moment to review the archives
at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3(WEB400)--
This is the Web Enabling the IBM i (AS/400 and iSeries)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/que
ry
?url=https%3a%2f%2flists.midrange.com%2fmailman%2flistin
fo
%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d52fa117c&auth
=4
38b0784514c1757bd202125ca4db8b0abdb021e-5c676734ab576f4b
d8 8a6271e6b0063776ba166d or email:
WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3mailing--
This is the Web Enabling the IBM i (AS/400 and iSeries)
(WEB400)
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query
?u
rl=https%3a%2f%2flists.midrange.com%2fmailman%2flistinfo%2
fw
eb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d52fa117c&auth=438b0
78
4514c1757bd202125ca4db8b0abdb021e-5c676734ab576f4bd88a6271
e6 b0063776ba166d or email:
WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3mailing--
This is the Web Enabling the IBM i (AS/400 and iSeries)
(WEB400)
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?u
rl
=https%3a%2f%2flists.midrange.com%2fmailman%2flistinfo%2fweb
40
0&umid=409ed4e2-5fbd-4952-a9cd-3b8d52fa117c&auth=438b0784514
c1
757bd202125ca4db8b0abdb021e-5c676734ab576f4bd88a6271e6b00637
76 ba166d or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before
posting, please take a moment to review the archives at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3mailing--
This is the Web Enabling the IBM i (AS/400 and iSeries)
(WEB400)
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url
=h
ttps%3a%2f%2flists.midrange.com%2fmailman%2flistinfo%2fweb400&
um
id=409ed4e2-5fbd-4952-a9cd-3b8d52fa117c&auth=438b0784514c1757b
d2
02125ca4db8b0abdb021e-5c676734ab576f4bd88a6271e6b0063776ba166d
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting,
please take a moment to review the archives at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3mailing--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=h
tt
ps%3a%2f%2flists.midrange.com%2fmailman%2flistinfo%2fweb400&umid
=4
09ed4e2-5fbd-4952-a9cd-3b8d52fa117c&auth=438b0784514c1757bd20212
5c a4db8b0abdb021e-5c676734ab576f4bd88a6271e6b0063776ba166d
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting,
please take a moment to review the archives at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=htt
ps
%3a%2f%2flists.midrange.com%2fmailman%2flistinfo%2fweb400&umid=409
ed
4e2-5fbd-4952-a9cd-3b8d52fa117c&auth=438b0784514c1757bd202125ca4db
8b 0abdb021e-5c676734ab576f4bd88a6271e6b0063776ba166d
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https
%3
a%2f%2flists.midrange.com%2fmailman%2flistinfo%2fweb400&umid=409ed4e
2-
5fbd-4952-a9cd-3b8d52fa117c&auth=438b0784514c1757bd202125ca4db8b0abd
b0 21e-5c676734ab576f4bd88a6271e6b0063776ba166d
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit:
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3
a%2f%2flists.midrange.com%2fmailman%2flistinfo%2fweb400&umid=409ed4e2-
5fbd-4952-a9cd-3b8d52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb0
21e-5c676734ab576f4bd88a6271e6b0063776ba166d
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3
a%2f%2farchive.midrange.com%2fweb400&umid=409ed4e2-5fbd-4952-a9cd-3b8d
52fa117c&auth=438b0784514c1757bd202125ca4db8b0abdb021e-41be33b27357552
865cd312c2581abf31e02e0bb
.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/web400.
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please take a moment to review the archives at https://archive.midrange.com/web400.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
