[some content trimmed for brevity]
On 08/31/2016 12:21 PM, Marcy Cortes wrote: > Yes, it does have crypto defined and does need it. > The httpd process is WebSphere IHS. It is getting good hits on the crypto > HW, but enough of these to make us wonder. > We're trying to diagnose a very intermittent flurry of SSL failures. They > don't correlate with these messages, but we'd still like to figure out what > it is complaining about. I've been hearing about "intermittent SSL failures" in another context a lot lately. It could possibly be cipher suite selection between client and server and have nothing to do with crypto libraries or co-processors. The whole thing is one monstrous moving target. Specifically in recent years, SSLv3 fell out of favor, and now, TLS 1.0 and even TLS 1.1 are kind of "we gotta get off of those and onto TLS 1.2". The risks are real, but often small and unlikely, and sometimes grossly unlikely. So what happens is older SSL clients try to connect with newer SSL servers and the handshake fails. (Or the other way around: newer SSL clients and older SSL servers.) The differences are mostly in the has+symmetric+asymmetric combo chosen. During the handshake, client and server agree on the best "suite" of those common to both parties. If either end doesn't like any of those the other party can handle, the handshake fails. Goodbye! But I'm only guessing. What exactly are the errors you get during these intermittent SSL failure flurries? Side note: I'm using "SSL" and "TLS" interchangeably in this conversation because they're the same basic tech. Some people get bent out of shape, "I meant TLS! don't talk about that old SSL crap!". On the wire, TLS 1.0 announces itself as SSL 3.1, TLS 1.1 as SSL 3.2, TLS 1.2 as SSL 3.3. There's a really cool record structure in the protocol starting with SSL 3.0. -- R; <>< ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
