Yes, OA46489 is on (PTF UA75508). The error I get is a pop up window with
Unable to establish secure socket error:1409443E:SSL routine:SSL3_READ_BYTES:tlsv1 alert protocol version The SSL handshake failed -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lizette Koehler Sent: Wednesday, February 24, 2016 2:43 PM To: [email protected] Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 Also, according to OA47183 you may also need to install OA46489. Did that occur as well? APAR OA46489 fixed the problem it reported but introduced a new problem. We recommend OA46489 stay installed. Without OA46489, gsk_environment_open() would default to enable the SSL V2 and SSL V3 protocols. They would need to be disabled explicitly if they were not wanted. Once OA46489 is installed, these protocols are disabled by default, but they can be enabled explicitly. In either case, the default settings can be overriden by either environment variables (GSK_PROTOCOL_SSLV2 or GSK_PROTOCOL_SSLV3) or through a call to the gsk_attribute_set_enum() API specifying enumeration identifiers (GSK_PROTOCOL_SSLV2 or GSK_PROTOCOL_SSLV3). Users of applications requiring the use of SSL V2 or SSL V3 will need to enable the support through environment variables, application configuration settings when available or through the use of AT-TLS to control the secure connections. The RACF/SAF checks resulting in the SMF 80 records were being used by System SSL to aid in the setting of the protocols. Lizette > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Lizette Koehler > Sent: Wednesday, February 24, 2016 12:40 PM > To: [email protected] > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > Do you get any other error messages? > What symptoms (other than cannot connect) do you see? > > Have you joined the TCPIP List? If not, that might another place to > post this question. > To join, if you have not done so, use this > TCPIP To subscribe, send mail to [email protected] with the > command (paste it!) in the e-mail message body: > SUBSCRIBE IBMTCP-L > Or this url and go to the bottom of the webpage: > http://www2.marist.edu/htbin/wlvindex?IBMTCP-L > > Lizette > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:[email protected]] On Behalf Of Dazzo, Matt > > Sent: Wednesday, February 24, 2016 12:36 PM > > To: [email protected] > > Subject: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > > > After applying RSU maintenance to our zos1.13 sandbox system I have > > run into a problem (that I expected from reading the hold data) with > > TN3270 > and SSL. > > SSLv2 & 3 are now defaulted to off. All our tn3270 sessions are > > configured to use ssl, I tested with TLS and they work fine. I'd > > like to enable ssl3 until we can get all the tn3270 users changed > > over to tls on > my terms. > > * The PTF disabled SSL by default, but they can be enabled > explicitly. > > > > According to the apar info it is possible to override the new > > default (ssl > > off) in 2 ways, one with environment variable and the other (not the > > preferred > > method) with RACF profiles. Any help in getting this resolved is > appreciated. > > Matt > > > > So far I have tried adding the below to /etc/profile export > > GSK_PROTOCOL_SSLV3_ON export GSK_PROTOCOL_SSLV2_ON > > > > And add the below to my telnet profile, I still cannot connect using ssl. > > > > ENCRYPT > > SSL_RC4_SHA > > SSL_RC4_MD5 > > SSL_AES_256_SHA > > SSL_AES_128_SHA > > SSL_3DES_SHA > > SSL_DES_SHA > > SSL_RC4_MD5_EX > > SSL_RC2_MD5_EX > > SSL_NULL_SHA > > SSL_NULL_MD5 > > SSL_NULL_Null > > ENDENCRYPT ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
