Dave, you get the gold star! SSLV3 did it!
Thanks to all -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Gibney, David Allen,Jr Sent: Wednesday, February 24, 2016 3:25 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 UA75508 is sup'd by UA76977 on my system. TELNETGLOBALS SSLV3 And I am using a keyring in RACF > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Dazzo, Matt > Sent: Wednesday, February 24, 2016 12:15 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > Dave, what statements did you add? Thanks > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Gibney, David Allen,Jr > Sent: Wednesday, February 24, 2016 3:12 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > When I hit a similar issue with z/OS 1.13, I was able to use SSLV3 in > TELNETGLOBALS to revive it. > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Dazzo, Matt > > Sent: Wednesday, February 24, 2016 12:08 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > > > Yes, OA46489 is on (PTF UA75508). > > > > The error I get is a pop up window with > > > > Unable to establish secure socket > > error:1409443E:SSL routine:SSL3_READ_BYTES:tlsv1 alert protocol > > version > > > > The SSL handshake failed > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Lizette Koehler > > Sent: Wednesday, February 24, 2016 2:43 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > > > Also, according to OA47183 you may also need to install OA46489. > > Did that occur as well? > > > > APAR OA46489 fixed the problem it reported but introduced a > > new problem. We recommend OA46489 stay installed. > > Without OA46489, gsk_environment_open() would default to > > enable the SSL V2 and SSL V3 protocols. They would need to > > be disabled explicitly if they were not wanted. > > Once OA46489 is installed, these protocols are disabled by > > default, but they can be enabled explicitly. > > > > In either case, the default settings can be overriden by > > either environment variables (GSK_PROTOCOL_SSLV2 or > > GSK_PROTOCOL_SSLV3) or through a call to the > > gsk_attribute_set_enum() API specifying enumeration > > identifiers (GSK_PROTOCOL_SSLV2 or GSK_PROTOCOL_SSLV3). > > > > Users of applications requiring the use of SSL V2 or SSL V3 > > will need to enable the support through environment > > variables, application configuration settings when available > > or through the use of AT-TLS to control the secure > > connections. > > > > The RACF/SAF checks resulting in the SMF 80 records were > > being used by System SSL to aid in the setting of the > > protocols. > > > > Lizette > > > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Lizette Koehler > > > Sent: Wednesday, February 24, 2016 12:40 PM > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > > > > > Do you get any other error messages? > > > What symptoms (other than cannot connect) do you see? > > > > > > Have you joined the TCPIP List? If not, that might another place > > > to post this question. > > > To join, if you have not done so, use this > > > TCPIP To subscribe, send mail to lists...@vm.marist.edu > with > > the > > > command (paste it!) in the e-mail message body: > > > SUBSCRIBE IBMTCP-L > > > Or this url and go to the bottom of the webpage: > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www2.marist.ed > > > u_ > > > ht > > > bin_wlvindex-3FIBMTCP- > > 2DL&d=CwIFAg&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8Ldrr > > > vxQb- > > > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=CRofWQTXXgb6KmHLlJrnSam05tho > > NHMd > > > B_VOomVg_Eg&s=rOJ4DtKQqEFdifEvZGdeKipWsA9CngvYNfzKGylX--4&e= > > > > > > Lizette > > > > > > > > > > -----Original Message----- > > > > From: IBM Mainframe Discussion List > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Dazzo, Matt > > > > Sent: Wednesday, February 24, 2016 12:36 PM > > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > > Subject: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > > > > > > > After applying RSU maintenance to our zos1.13 sandbox system I > > > > have run into a problem (that I expected from reading the hold > > > > data) with > > > > TN3270 > > > and SSL. > > > > SSLv2 & 3 are now defaulted to off. All our tn3270 sessions are > > > > configured to use ssl, I tested with TLS and they work fine. I'd > > > > like to enable ssl3 until we can get all the tn3270 users > > > > changed over to tls on > > > my terms. > > > > * The PTF disabled SSL by default, but they can be enabled > > > explicitly. > > > > > > > > According to the apar info it is possible to override the new > > > > default (ssl > > > > off) in 2 ways, one with environment variable and the other (not > > > > the preferred > > > > method) with RACF profiles. Any help in getting this resolved is > > > appreciated. > > > > Matt > > > > > > > > So far I have tried adding the below to /etc/profile export > > > > GSK_PROTOCOL_SSLV3_ON export GSK_PROTOCOL_SSLV2_ON > > > > > > > > And add the below to my telnet profile, I still cannot connect using > > > > ssl. > > > > > > > > ENCRYPT > > > > SSL_RC4_SHA > > > > SSL_RC4_MD5 > > > > SSL_AES_256_SHA > > > > SSL_AES_128_SHA > > > > SSL_3DES_SHA > > > > SSL_DES_SHA > > > > SSL_RC4_MD5_EX > > > > SSL_RC2_MD5_EX > > > > SSL_NULL_SHA > > > > SSL_NULL_MD5 > > > > SSL_NULL_Null > > > > ENDENCRYPT > > > > -------------------------------------------------------------------- > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO > > IBM-MAIN > > > > -------------------------------------------------------------------- > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO > > IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN