Re: Help with switching an IP:PORT to TLS V1.2

You have to update the file /etc/pagent.ttls.conf to explicitly deactivate SSL, (specify SSLV3 Off). Also TLS 1 and 1.1 are on by default and you have to also specify 1.2 explicitly if you dont want the lower levels. Also clients generally default to using SSL, for example Microsoft has several

Re: Help with switching an IP:PORT to TLS V1.2

Lennie Dymoke-Bradshaw wrote: >Maybe I am trying to teach my granny to suck eggs, but I think TLS includes the capability to fall back as far as SSLv3 if the other party does not support TLS. Could this be what you are seeing? Ah, you're being much too logical. The short answer to your query

Re: Help with switching an IP:PORT to TLS V1.2

Maybe I am trying to teach my granny to suck eggs, but I think TLS includes the capability to fall back as far as SSLv3 if the other party does not support TLS. Could this be what you are seeing? Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone

Re: Help with switching an IP:PORT to TLS V1.2

AT-TLS is mutually exclusive with applications that actually call SSL functions (OpenSSL, GSK, etc.). The "AT" part means "Application Transparent". i.e, the program just uses sockets and doesn't deal with encryption at all. There's no way to set TLS 1.2 until one answers the question as to

Re: Help with switching an IP:PORT to TLS V1.2

If you have access to OpenSSL you can issue the command: echo /dev/null | openssl s_client -showcerts -connect address:port -ssl3 If SSLv3 then the 1st line returned will end with "SSL alert number 70" or "SSL alert number 40". If it is supported you will see the certs. You can change

Re: Help with switching an IP:PORT to TLS V1.2

Plus, I remember there's some environment variables that must be set for things like this. At least that's what I've seen in LDAPS, for example. GSK_SSL_something type variables to tune, turn off, or allow only specific SSL/TLS versions, or ciphers. - KB ‐‐‐ Original Message ‐‐‐ On

Re: Help with switching an IP:PORT to TLS V1.2

If the hello packets from both the client and the server indicate TLS 1.2, then that's what's being used. If you could get "them" to specifically say what "behaving like SSLV3" means, then perhaps you'd get a better response here.

Re: Help with switching an IP:PORT to TLS V1.2

Are you sure the SSL options are turned off, leaving only the TLSV12 option on? Matthew On Thu, 23 Dec 2021 10:01:26 -0700, Lizette Koehler wrote: >We have done the Packet trace. It was not conclusive. > >Only showed that TLS V1.2 is being used. However - some were thinking that >was not

Re: Help with switching an IP:PORT to TLS V1.2

We have done the Packet trace. It was not conclusive. Only showed that TLS V1.2 is being used. However - some were thinking that was not true since the connection (according to them) was behaving like SSLV3 what ever that means. Lizette -Original Message- From: IBM Mainframe

Re: Help with switching an IP:PORT to TLS V1.2

You could also just do a packet trace. Send the output to Wireshark. It can format all the TLS hand-shaking traffic. The question I'd have, given the original description is whether AT-TLS is being used at all. Perhaps the program is using OpenSSL or GSK?

Re: Help with switching an IP:PORT to TLS V1.2

On 23/12/2021 5:27 pm, kekronbekron wrote: IBM would like you to use zERT, I reckon... The poor man's way is obviously diving into SMF. I thought zERT is a free function in TCP/IP? I agree it is probably the best way to find this information. zERT writes SMF records, IBM provides functions

Re: Help with switching an IP:PORT to TLS V1.2

IBM would like you to use zERT, I reckon... The poor man's way is obviously diving into SMF. - KB ‐‐‐ Original Message ‐‐‐ On Thursday, December 23rd, 2021 at 1:09 AM, Mark Regan wrote: > One tool I've used in the past is testssl > > > > https://testssl.sh/ > > Testing TLS/SSL

Re: Help with switching an IP:PORT to TLS V1.2

I meant using *.sh for the URL of a shell script. Clicking on the link made me think for a second that would download and start running it :) On 12/22/2021 2:21 PM, Phil Smith III wrote: Tom Brennan wrote: Thanks... I need to give that a try too. I'm already impressed with their clever

Re: Help with switching an IP:PORT to TLS V1.2

Tom Brennan wrote: >Thanks... I need to give that a try too. I'm already impressed with >their clever use of Saint Helena for the URL. OK, I feel stoopid: Huh? Doesn't appear anyone has ported testssl to z/OS, not that that's necessarily hard (nor is it necessarily easy). This tool also

Re: Help with switching an IP:PORT to TLS V1.2

Thanks... I need to give that a try too. I'm already impressed with their clever use of Saint Helena for the URL. On 12/22/2021 11:39 AM, Mark Regan wrote: One tool I've used in the past is testssl https://testssl.sh/ Testing TLS/SSL encryptiontestssl.sh is a free

Re: Help with switching an IP:PORT to TLS V1.2

Did something similar a year ago. Believe I looked at SMF119AP_LSSP. Maybe a quicker option... Netstat COnn with something like a POrt filter will show the 4 character cipher number. Regards, Kevin -Original Message- From: IBM Mainframe Discussion List

Re: Help with switching an IP:PORT to TLS V1.2

One tool I've used in the past is testssl https://testssl.sh/ Testing TLS/SSL encryptiontestssl.sh is a free command-line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and

Help with switching an IP:PORT to TLS V1.2

I have an appl that needs to be TLSV1.2 I updated PAGENT for this IP:PORT to only use TLS 1.2 and did a refresh I am being told that despite that it is using SSLV3 How can I validate if the IP:PORT is using SSLV3 or TLS V1.2 Lizette