[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISeries using TLSV1

From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
To: "Smith, Sherry K." <sksmith@xxxxxxxxxxxxxxxxx>, HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: ISeries using TLSV1
Date: Thu, 29 Nov 2012 17:03:23 -0600

   hi Sherry,
   The newest version of TLS is 1.2.  There is no TLSv3.  Did you mean SSL
   v3?
   TLS Version 1.2 is not supported by any of the major web browsers.
   Version 1.1 is supported only by Google Chrome 22 and higher.  The
   other major browsers (Internet Explorer, Firefox, Opera and Safari) all
   support only TLS version 1.0, or SSL versions 2 and 3.   (At least,
   without changing their default settings)
   HTTPAPI lets the operating system control which version of SSL/TLS is
   used.  It calls the IBM Global Secure Toolkit (GSKit) APIs, and does
   not set the ciphers, et al, it lets the operating system take care of
   that.  However, the https_init() API has optional parameters (rarely
   used) that you can use to explicitly disable SSLv2 or SSLv3, leaving
   only TLS if that's what you want?
   As near as I can tell from the IBM response you provided, they are NOT
   telling you how to enable TLSv3 (which, after all, does not exist) but
   rather telling you how to disable TLSv1.  Presumably they're thinking
   you meant SSLv3, and therefore are telling you how to disable the newer
   (and preferred) TLS.
   I'm CCing this message to the mailing list, which is the correct place
   to discuss HTTPAPI.  If you wish to discuss this further, please post
   your replies there.  I hope this doesn't come across as harsh, but I
   need people to use the mailing list or I will get overwhelmed by the
   workload of e-mails that I get.
   Thanks!
   -SK

   On 11/29/2012 3:50 PM, Smith, Sherry K. wrote:

   Hi Scott,


   I am using your HTTPAPI and I have ran into a problem with security
   between the ISeries and the website I am trying to consume.  Basically,
   the website URL I am trying to access is using TLSV3 and the ISeries is
   using TLSV1. I have included input from IBM (as well as attaching the
   trace information) on this problem, and their answer seems to be to
   change the AES at the application level.  I am NOT familiar with
   ciphers or TLSV1 at all.  I can't believe we are the first ones facing
   this issue, and I need your help to point me into the right direction.


   I appreciate your help,


   Sherry Smith


   Sherry K. Smith

   Programmer/Analyst

   University of Illinois Foundation

   (217) 239-6018


   [1]University of Illinois at Urbana-Champaign logo



   IBM RESPONSE:

   I discussed this with my developer.
   He noted, that the HTTPAPI, should come with information on controlling
   protocols and ciphers. If it did not, its likely not possible.
   At this point you may, turn it off for the entire system. You can
   remove the AES ciphers from the QSSLCSL after changing the system value
   QSSLCSLCTL to *USRDEF.
   He added, that this is not the best, for this will disable the newest
   and strongest ciphers for your system.
   If the remote side is unable to support TLSV1, and shutting down AES
   ciphers for the entire i5, you can turn off AES at the application
   layer by
   changing your program code. But, this is something that we wouldn't be
   able to assist with.
   I hope, that this helps in your problem analysis.

References

   1. http://illinois.edu/

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

Prev by Date: RE: RE: http_url_get problem
Next by Date: RE: http_url_get problem
Previous by thread: Rif: Re: Rif: RE: http_url_get problem
Index(es):
- Date
- Thread