Susan & Mike,This is an exception to the "GSKit will take care of that" rule. For some reason, when IBM added support for TLS 1.1 and 1.2, they made it so that it would not be used by default, the application must explicitly ask for TLS 1.1/1.2 support. (At least, it does in v7r1, I don't think it has to do that in v7r2).
So the update you cite in the change log does exactly that -- it tests whether support is available for TLS 1.1 and 1.2 and specifically requests that support if found. It also will disable SSL v2 and SSL v3, unless you explicitly tell HTTPAPI you want these versions. This is a critical update if SSL/TLS security is at all important to you. These versions are known to be exploitable and dangerous to use, so it will no longer enable them by default.
TLS 1.0 is also no longer considered secure, but we do enable it by default because it would break compatibility with too many applications to disable it at this point. Plus, users running releases prior to v7r1 do not have access to TLS 1.1 or 1.2, so for them TLS 1.0 is the best they can do. It's not nearly as insecure as SSLv3, but if you don't need it for compatibility, I still recommend you disable it and use TLS 1.1/1.2 instead. You can control that with the QSSLPCL system value.
I would definitely recommend running the latest HTTPAPI (currently 1.29). The updates to HTTPAPI are designed to be compatible, so updating it should be painless. There's no advantage to running an older version.
On 10/29/2015 1:31 PM, Mike Krebs wrote:
Which version are you using? In general, HTTPAPI doesn't care as TLS is a GSKIT thing. But, there is new support added at 1.26:
Changes to version 1.26 from 1.25
- Added support for TLS versions 1.1 and 1.2 (requires IBM i 7.1
with TR6 installed or newer, and QSSLPCL sysval configured)
----------------------------------------------------------------------- This is the FTPAPI mailing list. To unsubscribe, please go to: http://www.scottklement.com/mailman/listinfo/ftpapi -----------------------------------------------------------------------