Also, according to OA47183 you may also need to install OA46489. Did that occur
as well?
APAR OA46489 fixed the problem it reported but introduced a
new problem. We recommend OA46489 stay installed.
Without OA46489, gsk_environment_open() would default to
enable the SSL V2 and SSL V3 protocols. They would need to
be disabled explicitly if they were not wanted.
Once OA46489 is installed, these protocols are disabled by
default, but they can be enabled explicitly.
In either case, the default settings can be overriden by
either environment variables (GSK_PROTOCOL_SSLV2 or
GSK_PROTOCOL_SSLV3) or through a call to the
gsk_attribute_set_enum() API specifying enumeration
identifiers (GSK_PROTOCOL_SSLV2 or GSK_PROTOCOL_SSLV3).
Users of applications requiring the use of SSL V2 or SSL V3
will need to enable the support through environment
variables, application configuration settings when available
or through the use of AT-TLS to control the secure
connections.
The RACF/SAF checks resulting in the SMF 80 records were
being used by System SSL to aid in the setting of the
protocols.
Lizette
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:[email protected]] On
> Behalf Of Lizette Koehler
> Sent: Wednesday, February 24, 2016 12:40 PM
> To: [email protected]
> Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508
>
> Do you get any other error messages?
> What symptoms (other than cannot connect) do you see?
>
> Have you joined the TCPIP List? If not, that might another place to post this
> question.
> To join, if you have not done so, use this
> TCPIP To subscribe, send mail to [email protected] with the
> command (paste it!) in the e-mail message body:
> SUBSCRIBE IBMTCP-L
> Or this url and go to the bottom of the webpage:
> http://www2.marist.edu/htbin/wlvindex?IBMTCP-L
>
> Lizette
>
>
> > -----Original Message-----
> > From: IBM Mainframe Discussion List [mailto:[email protected]]
> > On Behalf Of Dazzo, Matt
> > Sent: Wednesday, February 24, 2016 12:36 PM
> > To: [email protected]
> > Subject: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508
> >
> > After applying RSU maintenance to our zos1.13 sandbox system I have
> > run into a problem (that I expected from reading the hold data) with TN3270
> and SSL.
> > SSLv2 & 3 are now defaulted to off. All our tn3270 sessions are
> > configured to use ssl, I tested with TLS and they work fine. I'd like
> > to enable ssl3 until we can get all the tn3270 users changed over to tls on
> my terms.
> > * The PTF disabled SSL by default, but they can be enabled
> explicitly.
> >
> > According to the apar info it is possible to override the new default
> > (ssl
> > off) in 2 ways, one with environment variable and the other (not the
> > preferred
> > method) with RACF profiles. Any help in getting this resolved is
> appreciated.
> > Matt
> >
> > So far I have tried adding the below to /etc/profile export
> > GSK_PROTOCOL_SSLV3_ON export GSK_PROTOCOL_SSLV2_ON
> >
> > And add the below to my telnet profile, I still cannot connect using ssl.
> >
> > ENCRYPT
> > SSL_RC4_SHA
> > SSL_RC4_MD5
> > SSL_AES_256_SHA
> > SSL_AES_128_SHA
> > SSL_3DES_SHA
> > SSL_DES_SHA
> > SSL_RC4_MD5_EX
> > SSL_RC2_MD5_EX
> > SSL_NULL_SHA
> > SSL_NULL_MD5
> > SSL_NULL_Null
> > ENDENCRYPT
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
