Dave, what statements did you add? Thanks -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Gibney, David Allen,Jr Sent: Wednesday, February 24, 2016 3:12 PM To: [email protected] Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508
When I hit a similar issue with z/OS 1.13, I was able to use SSLV3 in TELNETGLOBALS to revive it. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Dazzo, Matt > Sent: Wednesday, February 24, 2016 12:08 PM > To: [email protected] > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > Yes, OA46489 is on (PTF UA75508). > > The error I get is a pop up window with > > Unable to establish secure socket > error:1409443E:SSL routine:SSL3_READ_BYTES:tlsv1 alert protocol > version > > The SSL handshake failed > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Lizette Koehler > Sent: Wednesday, February 24, 2016 2:43 PM > To: [email protected] > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > Also, according to OA47183 you may also need to install OA46489. Did > that occur as well? > > APAR OA46489 fixed the problem it reported but introduced a > new problem. We recommend OA46489 stay installed. > Without OA46489, gsk_environment_open() would default to > enable the SSL V2 and SSL V3 protocols. They would need to > be disabled explicitly if they were not wanted. > Once OA46489 is installed, these protocols are disabled by > default, but they can be enabled explicitly. > > In either case, the default settings can be overriden by > either environment variables (GSK_PROTOCOL_SSLV2 or > GSK_PROTOCOL_SSLV3) or through a call to the > gsk_attribute_set_enum() API specifying enumeration > identifiers (GSK_PROTOCOL_SSLV2 or GSK_PROTOCOL_SSLV3). > > Users of applications requiring the use of SSL V2 or SSL V3 > will need to enable the support through environment > variables, application configuration settings when available > or through the use of AT-TLS to control the secure > connections. > > The RACF/SAF checks resulting in the SMF 80 records were > being used by System SSL to aid in the setting of the > protocols. > > Lizette > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:[email protected]] On Behalf Of Lizette Koehler > > Sent: Wednesday, February 24, 2016 12:40 PM > > To: [email protected] > > Subject: Re: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > > > Do you get any other error messages? > > What symptoms (other than cannot connect) do you see? > > > > Have you joined the TCPIP List? If not, that might another place to > > post this question. > > To join, if you have not done so, use this > > TCPIP To subscribe, send mail to [email protected] with > the > > command (paste it!) in the e-mail message body: > > SUBSCRIBE IBMTCP-L > > Or this url and go to the bottom of the webpage: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www2.marist.edu_ > > ht > > bin_wlvindex-3FIBMTCP- > 2DL&d=CwIFAg&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8Ldrr > > vxQb- > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=CRofWQTXXgb6KmHLlJrnSam05tho > NHMd > > B_VOomVg_Eg&s=rOJ4DtKQqEFdifEvZGdeKipWsA9CngvYNfzKGylX--4&e= > > > > Lizette > > > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List > > > [mailto:[email protected]] On Behalf Of Dazzo, Matt > > > Sent: Wednesday, February 24, 2016 12:36 PM > > > To: [email protected] > > > Subject: SSLv3 & SSLv3 - APAR OA47183, PTF UA75508 > > > > > > After applying RSU maintenance to our zos1.13 sandbox system I > > > have run into a problem (that I expected from reading the hold > > > data) with > > > TN3270 > > and SSL. > > > SSLv2 & 3 are now defaulted to off. All our tn3270 sessions are > > > configured to use ssl, I tested with TLS and they work fine. I'd > > > like to enable ssl3 until we can get all the tn3270 users changed > > > over to tls on > > my terms. > > > * The PTF disabled SSL by default, but they can be enabled > > explicitly. > > > > > > According to the apar info it is possible to override the new > > > default (ssl > > > off) in 2 ways, one with environment variable and the other (not > > > the preferred > > > method) with RACF profiles. Any help in getting this resolved is > > appreciated. > > > Matt > > > > > > So far I have tried adding the below to /etc/profile export > > > GSK_PROTOCOL_SSLV3_ON export GSK_PROTOCOL_SSLV2_ON > > > > > > And add the below to my telnet profile, I still cannot connect using ssl. > > > > > > ENCRYPT > > > SSL_RC4_SHA > > > SSL_RC4_MD5 > > > SSL_AES_256_SHA > > > SSL_AES_128_SHA > > > SSL_3DES_SHA > > > SSL_DES_SHA > > > SSL_RC4_MD5_EX > > > SSL_RC2_MD5_EX > > > SSL_NULL_SHA > > > SSL_NULL_MD5 > > > SSL_NULL_Null > > > ENDENCRYPT > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
