[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: No Matching Cipher Suite. V7.1
I had a similar problem and have not solved that problem as the
required ciphers are not available at 7.1
I received the table below from IBM
On the next tables are showed the cipher supported by the iseries on
R710
If the table get screwed up or lost you can find it at:
[1]http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzain/rzainc
iphers.htm
QSSLCSL System Value Representation
TLSv1.2
TLSv1.1
TLSv1.0
SSLv3
SSLv2
*RSA_AES_256_CBC_SHA256
X
*RSA_AES_128_CBC_SHA256
X
*RSA_AES_256_CBC_SHA
X
X
X
*RSA_AES_128_CBC_SHA
X
X
X
*RSA_3DES_EDE_CBC_SHA
X
X
X
X
*RSA_RC4_128_SHA
X
X
X
X
*RSA_RC4_128_MD5
X
X
X
X
X
*RSA_DES_CBC_SHA
X
X
X
*RSA_EXPORT_RC4_40_MD5
X
X
X
*RSA_EXPORT_RC2_CBC_40_MD5
X
X
X
*RSA_NULL_SHA256
X
*RSA_NULL_SHA
X
X
X
X
*RSA_NULL_MD5
X
X
X
X
*RSA_RC2_CBC_128_MD5
X
*RSA_3DES_EDE_CBC_MD5
X
*RSA_DES_CBC_MD5
X
Don Brown
From: Dave Burt <dave.burt@xxxxxxxxxxx>
To: "ftpapi@xxxxxxxxxxxxxxxxxxxxxx"
<ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Date: 03/11/2016 01:29 AM
Subject: No Matching Cipher Suite. V7.1
Sent by: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
__________________________________________________________________
The server we are testing on is at 7.1 and at least Tech Refresh 6+.
All PTFs that are supposed to allow the TLS1.2 protocols to work are
applied.
I have been using HTTPAPI and RPG to call external web services such as
leading2lean and service-now. HTTPAPI is at 1.32.
HTTPAPI documentation says it works up to TLS 1.2. (last build 2/2016)
The HTTPS protocol is only handshaking if L2L sets their server to a
very "unsecure level" below SSL2. L2L (under special request) has been
letting use do it this way for a while. But
Eventually, they are going to require at least TLS??
Service-now web service works but I don't know what protocol level they
are enforcing.
This command causes the handshake failure:
rc = http_url_post(url:myPointer:dataSize:ifs:HTTP_TIMEOUT:
HTTP_USERAGENT:
'application/x-www-form-urlencoded');
The error message is "SSL Handshake: (GSKit) No compatible cipher suite
available"
According to our Sys-Op and an expert at the COMMON conference, our
server should be TLS1.2 capable. He thinks it is the application
that's
Not working. Our ciphers don't exactly match L2Ls by name, but the
expert told our Sys-op that doesn't matter??? It doesn't look like we
can even do SSL 2.0.
The GSKIT API includes an https_init(application_name, enabled
protocols (ssl2.0, ssl3.0,tls1.0,1.1,1.2))
ii = https_init(*blanks:*Off:*ON:
*ON: *ON: *ON);
We also tried creating an application certificate and using that in the
program. But no difference. I verified that the https_init returns
without the error code set
Our system value for QSSLCSL:
*RSA_AES_128_CBC_SHA256
*RSA_AES_128_CBC_SHA
*RSA_RC4_128_SHA
*RSA_AES_256_CBC_SHA256
*RSA_AES_256_CBC_SHA
*RSA_3DES_EDE_CBC_SHA
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_NULL_SHA256
*RSA_NULL_SHA
*RSA_NULL_MD5
*RSA_RC4_128_MD5
QSSLCSLCTL: *USRDFN
QSSLPCL:
Protocols
*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3
Ciphers L2L says will handshake are:
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and
SSL 2 suites at the end)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq.
3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq.
3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq.
3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq.
3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072
bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072
bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS
256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 2048 bits FS
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS
128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 2048 bits FS
128
Thanks in advance for the help.
Dave
***************************************************************
Consider the environment before printing this message.
To read the Companies' Information and Confidentiality Notice, follow
this link:
[2]https://www.autoliv.com/Pages/disclaimer.aspx
***************************************************************
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
[3]http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
References
1. http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzain/rzainciphers.htm
2. https://www.autoliv.com/Pages/disclaimer.aspx
3. http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------