Maybe I am trying to teach my granny to suck eggs, but I think TLS includes the capability to fall back as far as SSLv3 if the other party does not support TLS. Could this be what you are seeing?
Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Don Poitras Sent: 25 December 2021 03:15 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Help with switching an IP:PORT to TLS V1.2 AT-TLS is mutually exclusive with applications that actually call SSL functions (OpenSSL, GSK, etc.). The "AT" part means "Application Transparent". i.e, the program just uses sockets and doesn't deal with encryption at all. There's no way to set TLS 1.2 until one answers the question as to what's actually being used. On Fri, 24 Dec 2021 03:24:51 +0000, kekronbekron <kekronbek...@protonmail.com> wrote: >Plus, I remember there's some environment variables that must be set for >things like this. >At least that's what I've seen in LDAPS, for example. >GSK_SSL_something type variables to tune, turn off, or allow only specific >SSL/TLS versions, or ciphers. > >- KB > >‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > >On Thursday, December 23rd, 2021 at 10:52 PM, Matthew Stitt ><mathwst...@bellsouth.net> wrote: > >> Are you sure the SSL options are turned off, leaving only the TLSV12 option >> on? >> >> Matthew >> >> On Thu, 23 Dec 2021 10:01:26 -0700, Lizette Koehler stars...@mindspring.com >> wrote: >> >> > We have done the Packet trace. It was not conclusive. >> > >> > Only showed that TLS V1.2 is being used. However - some were thinking that >> > was not true since the connection (according to them) was behaving like >> > SSLV3 what ever that means. >> > >> > Lizette >> > >> > -----Original Message----- >> > >> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On >> > Behalf Of Don Poitras >> > >> > Sent: Thursday, December 23, 2021 8:06 AM >> > >> > To: IBM-MAIN@LISTSERV.UA.EDU >> > >> > Subject: Re: Help with switching an IP:PORT to TLS V1.2 >> > >> > You could also just do a packet trace. Send the output to Wireshark. It >> > can format all the TLS hand-shaking traffic. The question I'd have, given >> > the original description is whether AT-TLS is being used at all. Perhaps >> > the program is using OpenSSL or GSK? >> > >> > https://www.ibm.com/support/pages/how-capture-and-format-ssl-compon >> > ent-trace ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
