Re: Help with switching an IP:PORT to TLS V1.2

2021-12-26 Thread Attila Fogarasi 
You have to update the file  /etc/pagent.ttls.conf to explicitly deactivate
SSL, (specify SSLV3 Off).  Also TLS 1 and 1.1 are on by default and you
have to also specify 1.2 explicitly if you dont want the lower levels.
 Also clients generally default to using SSL, for example Microsoft has
several different Windows registry settings that must be done to force TLS
1.2.  Not as clean as on z/OS, esp. for older Windows versions.
on z/OS, /etc/pagent.ttls.conf :
*TTLSEnvironmentAdvancedParms { ## TLSV1.2 only for z/OS 2.1 and higher #
TLSV1.2 On # TLSv1 & TLSv1.1 are on by default SSLV3 Off # disable SSLv3 }
}*

On Thu, Dec 23, 2021 at 5:00 AM Lizette Koehler 
wrote:

> I have an appl that needs to be TLSV1.2
>
>
>
> I  updated PAGENT for this IP:PORT to only use TLS 1.2   and did a refresh
>
>
>
> I am being told that despite that it is using SSLV3
>
>
>
> How can I validate if the IP:PORT is using SSLV3 or TLS V1.2
>
>
>
> Lizette
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-25 Thread Phil Smith III 
Lennie Dymoke-Bradshaw wrote:

>Maybe I am trying to teach my granny to suck eggs, but I think TLS includes
the capability to fall back as far as SSLv3 if the other party does not
support TLS. Could this be what you are seeing?

 

Ah, you're being much too logical. The short answer to your query is "No"
and/or "Not necessarily".

 

The way SSL/TLS connection setup typically works is that the client says
"Here are the ciphers AND PROTOCOLS" I'm willing to let you, Mr. SSL/TLS
stack, use". Of course the stack can let that default, but the ones I've
seen (like IBM System SSL) don't. This surprised me when I learned it,
because I would have though you could say "Use TLSv1 *or later*" and be done
with it, but no-we have to update our product each time a new TLS version
comes out, simply to tell System SSL "Yes, it's OK to use that protocol".

 

The result is that you can have a reasonably "modern" client and a
reasonably "modern" server that won't connect, because they don't have any
ciphers in common. It also means that no, things won't necessarily fall
back. Public web servers tend to support fallback-google.com will still do
SSLv3 if you force it to-but more tightly controlled client-server pairs
often do not.

 

And then there are a whole 'nother set of things that can be incompatible,
like servers that require SNI, and load balancers (I'm looking at you, F5)
that have options ("Unclean shutdown") that irritate System SSL. I suspect
that System SSL is more sensitive to these things than, say, OpenSSL for a
pair of reasons: first, because IBM probably implemented it following the
RFCs; and second, because System SSL has had less real-world exposure to
find out where the real world doesn't follow those.

 

I'm reminded of the mid-90s when I was apparently the only one on the planet
running a primary DNS using SQL/DS on VM/ESA. IBM implemented TTL per the
RFC, so TTL=0 meant no caching; apparently the rest of the world takes TTL=0
to mean "cache indefinitely". It's fuzzy at this distance but I think IBM
had to change their implementation. (And it's possible I'm describing the
problem wrong, again, 'cause it was a thousand years ago-I just remember
that we had a big problem until IBM fixed it to NOT follow the letter of the
RFC.)

 

The ubiquity of OpenSSL means it Just Works, so non-Z folks are sorta
spoiled here (in a good way-"Machines should work, people should think" and
all that).


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-25 Thread Lennie Dymoke-Bradshaw 
Maybe I am trying to teach my granny to suck eggs, but I think TLS includes the 
capability to fall back as far as SSLv3 if the other party does not support 
TLS. Could this be what you are seeing?

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Don 
Poitras
Sent: 25 December 2021 03:15
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Help with switching an IP:PORT to TLS V1.2

AT-TLS is mutually exclusive with applications that actually call SSL functions 
(OpenSSL, GSK, etc.). The "AT" part means "Application Transparent". i.e, the 
program just uses sockets and doesn't deal with encryption at all. There's no 
way to set TLS 1.2 until one answers the question as to what's actually being 
used.

On Fri, 24 Dec 2021 03:24:51 +, kekronbekron  
wrote:

>Plus, I remember there's some environment variables that must be set for 
>things like this.
>At least that's what I've seen in LDAPS, for example.
>GSK_SSL_something type variables to tune, turn off, or allow only specific 
>SSL/TLS versions, or ciphers.
>
>- KB
>
>‐‐‐ Original Message ‐‐‐
>
>On Thursday, December 23rd, 2021 at 10:52 PM, Matthew Stitt 
> wrote:
>
>> Are you sure the SSL options are turned off, leaving only the TLSV12 option 
>> on?
>>
>> Matthew
>>
>> On Thu, 23 Dec 2021 10:01:26 -0700, Lizette Koehler stars...@mindspring.com 
>> wrote:
>>
>> > We have done the Packet trace. It was not conclusive.
>> >
>> > Only showed that TLS V1.2 is being used. However - some were thinking that 
>> > was not true since the connection (according to them) was behaving like 
>> > SSLV3 what ever that means.
>> >
>> > Lizette
>> >
>> > -Original Message-
>> >
>> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On 
>> > Behalf Of Don Poitras
>> >
>> > Sent: Thursday, December 23, 2021 8:06 AM
>> >
>> > To: IBM-MAIN@LISTSERV.UA.EDU
>> >
>> > Subject: Re: Help with switching an IP:PORT to TLS V1.2
>> >
>> > You could also just do a packet trace. Send the output to Wireshark. It 
>> > can format all the TLS hand-shaking traffic. The question I'd have, given 
>> > the original description is whether AT-TLS is being used at all. Perhaps 
>> > the program is using OpenSSL or GSK?
>> >
>> > https://www.ibm.com/support/pages/how-capture-and-format-ssl-compon
>> > ent-trace

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-24 Thread Don Poitras 
AT-TLS is mutually exclusive with applications that actually call SSL functions 
(OpenSSL, GSK, etc.). The "AT" part means "Application Transparent". i.e, the 
program just uses sockets and doesn't deal with encryption at all. There's no 
way to set TLS 1.2 until one answers the question as to what's actually being 
used.

On Fri, 24 Dec 2021 03:24:51 +, kekronbekron  
wrote:

>Plus, I remember there's some environment variables that must be set for 
>things like this.
>At least that's what I've seen in LDAPS, for example.
>GSK_SSL_something type variables to tune, turn off, or allow only specific 
>SSL/TLS versions, or ciphers.
>
>- KB
>
>‐‐‐ Original Message ‐‐‐
>
>On Thursday, December 23rd, 2021 at 10:52 PM, Matthew Stitt 
> wrote:
>
>> Are you sure the SSL options are turned off, leaving only the TLSV12 option 
>> on?
>>
>> Matthew
>>
>> On Thu, 23 Dec 2021 10:01:26 -0700, Lizette Koehler stars...@mindspring.com 
>> wrote:
>>
>> > We have done the Packet trace. It was not conclusive.
>> >
>> > Only showed that TLS V1.2 is being used. However - some were thinking that 
>> > was not true since the connection (according to them) was behaving like 
>> > SSLV3 what ever that means.
>> >
>> > Lizette
>> >
>> > -Original Message-
>> >
>> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
>> > Don Poitras
>> >
>> > Sent: Thursday, December 23, 2021 8:06 AM
>> >
>> > To: IBM-MAIN@LISTSERV.UA.EDU
>> >
>> > Subject: Re: Help with switching an IP:PORT to TLS V1.2
>> >
>> > You could also just do a packet trace. Send the output to Wireshark. It 
>> > can format all the TLS hand-shaking traffic. The question I'd have, given 
>> > the original description is whether AT-TLS is being used at all. Perhaps 
>> > the program is using OpenSSL or GSK?
>> >
>> > https://www.ibm.com/support/pages/how-capture-and-format-ssl-component-trace

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-24 Thread John S. Giltner, Jr. 
If you have access to OpenSSL you can issue the command:

 echo /dev/null  | openssl s_client -showcerts  -connect address:port -ssl3

If SSLv3 then the 1st line returned will end with "SSL alert number 70" or "SSL 
alert number 40".  If it is supported you will see the certs.

You can change -ssl3 to -tsl1_2 to verify that it is supporting TLS V1.2.

Rocket Software has a port of OpenSSL that will run on z/OS, or you can get it 
for Linux.  Not sure if there is a Windows version, but I run it under Cygwin 
on Windows.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-23 Thread kekronbekron 
Plus, I remember there's some environment variables that must be set for things 
like this.
At least that's what I've seen in LDAPS, for example.
GSK_SSL_something type variables to tune, turn off, or allow only specific 
SSL/TLS versions, or ciphers.

- KB

‐‐‐ Original Message ‐‐‐

On Thursday, December 23rd, 2021 at 10:52 PM, Matthew Stitt 
 wrote:

> Are you sure the SSL options are turned off, leaving only the TLSV12 option 
> on?
>
> Matthew
>
> On Thu, 23 Dec 2021 10:01:26 -0700, Lizette Koehler stars...@mindspring.com 
> wrote:
>
> > We have done the Packet trace. It was not conclusive.
> >
> > Only showed that TLS V1.2 is being used. However - some were thinking that 
> > was not true since the connection (according to them) was behaving like 
> > SSLV3 what ever that means.
> >
> > Lizette
> >
> > -Original Message-
> >
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> > Don Poitras
> >
> > Sent: Thursday, December 23, 2021 8:06 AM
> >
> > To: IBM-MAIN@LISTSERV.UA.EDU
> >
> > Subject: Re: Help with switching an IP:PORT to TLS V1.2
> >
> > You could also just do a packet trace. Send the output to Wireshark. It can 
> > format all the TLS hand-shaking traffic. The question I'd have, given the 
> > original description is whether AT-TLS is being used at all. Perhaps the 
> > program is using OpenSSL or GSK?
> >
> > https://www.ibm.com/support/pages/how-capture-and-format-ssl-component-trace
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
>
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-23 Thread Don Poitras 
If the hello packets from both the client and the server indicate TLS 1.2, then 
that's what's being used. If you could get "them" to specifically say what 
"behaving like SSLV3" means, then perhaps you'd get a better response here.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-23 Thread Matthew Stitt 
Are you sure the SSL options are turned off, leaving only the TLSV12 option on?

Matthew

On Thu, 23 Dec 2021 10:01:26 -0700, Lizette Koehler  
wrote:

>We have done the Packet trace.  It was not conclusive.
>
>Only showed that TLS V1.2 is being used.  However - some were thinking that 
>was not true since the connection (according to them) was behaving like SSLV3 
>what ever that means.
>
>Lizette
>
>-Original Message-
>From: IBM Mainframe Discussion List  On Behalf Of 
>Don Poitras
>Sent: Thursday, December 23, 2021 8:06 AM
>To: IBM-MAIN@LISTSERV.UA.EDU
>Subject: Re: Help with switching an IP:PORT to TLS V1.2
>
>You could also just do a packet trace. Send the output to Wireshark. It can 
>format all the TLS hand-shaking traffic. The question I'd have, given the 
>original description is whether AT-TLS is being used at all. Perhaps the 
>program is using OpenSSL or GSK?
>
>https://www.ibm.com/support/pages/how-capture-and-format-ssl-component-trace
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-23 Thread Lizette Koehler 
We have done the Packet trace.  It was not conclusive.

Only showed that TLS V1.2 is being used.  However - some were thinking that was 
not true since the connection (according to them) was behaving like SSLV3 what 
ever that means.

Lizette

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Don 
Poitras
Sent: Thursday, December 23, 2021 8:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Help with switching an IP:PORT to TLS V1.2

You could also just do a packet trace. Send the output to Wireshark. It can 
format all the TLS hand-shaking traffic. The question I'd have, given the 
original description is whether AT-TLS is being used at all. Perhaps the 
program is using OpenSSL or GSK?

https://www.ibm.com/support/pages/how-capture-and-format-ssl-component-trace

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-23 Thread Don Poitras 
You could also just do a packet trace. Send the output to Wireshark. It can 
format all the TLS hand-shaking traffic. The question I'd have, given the 
original description is whether AT-TLS is being used at all. Perhaps the 
program is using OpenSSL or GSK?

https://www.ibm.com/support/pages/how-capture-and-format-ssl-component-trace

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-23 Thread Andrew Rowley 

On 23/12/2021 5:27 pm, kekronbekron wrote:

IBM would like you to use zERT, I reckon...
The poor man's way is obviously diving into SMF.

I thought zERT is a free function in TCP/IP? I agree it is probably the 
best way to find this information.


zERT writes SMF records, IBM provides functions using DB2 and z/OSMF to 
report on the data.


I also added reports to EasySMF, there is more information and examples 
of the results here:


https://www.blackhillsoftware.com/news/2021/03/23/the-easy-way-to-view-zert-smf-data/

--

Andrew Rowley
Black Hill Software

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-22 Thread kekronbekron 
IBM would like you to use zERT, I reckon...
The poor man's way is obviously diving into SMF.

- KB

‐‐‐ Original Message ‐‐‐

On Thursday, December 23rd, 2021 at 1:09 AM, Mark Regan  
wrote:

> One tool I've used in the past is testssl
>
> 
>
> https://testssl.sh/
>
> Testing TLS/SSL encryptiontestssl.sh is a free
>
> https://testssl.sh/LICENSE.txt command-line tool which checks a server's
>
> service on any port for the support of TLS/SSL ciphers, protocols as well
>
> as recent cryptographic flaws and more.
>
> Regards,
>
> Mark Regan, K8MTR, EN80tg
>
> CTO1 USNR-Retired (1969-1991)
>
> Nationwide Insurance, Retired, 1986-2017
>
> z/OS Network Software Consultant
>
> Contractor, Checks & Balances, Inc.
>
> Email: marktre...@gmail.com
>
> LinkedIn: https://www.linkedin.com/in/mark-t-regan
>
> On Wed, Dec 22, 2021 at 1:00 PM Lizette Koehler stars...@mindspring.com
>
> wrote:
>
> > I have an appl that needs to be TLSV1.2
> >
> > I updated PAGENT for this IP:PORT to only use TLS 1.2 and did a refresh
> >
> > I am being told that despite that it is using SSLV3
> >
> > How can I validate if the IP:PORT is using SSLV3 or TLS V1.2
> >
> > Lizette
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> >
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
>
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-22 Thread Tom Brennan 

I meant using *.sh for the URL of a shell script.
Clicking on the link made me think for a second that would download and 
start running it :)


On 12/22/2021 2:21 PM, Phil Smith III wrote:

Tom Brennan wrote:


Thanks... I need to give that a try too.  I'm already impressed with



their clever use of Saint Helena for the URL.


  


OK, I feel stoopid: Huh?

  


Doesn't appear anyone has ported testssl to z/OS, not that that's
necessarily hard (nor is it necessarily easy). This tool also appears to go
against a host, which doesn't help with an application connection. Kevin's
suggestion of netstat will work if you can catch it while it's failing to
connect (hint: I think that's gonna be hard).


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-22 Thread Phil Smith III 
Tom Brennan wrote:

>Thanks... I need to give that a try too.  I'm already impressed with

>their clever use of Saint Helena for the URL.

 

OK, I feel stoopid: Huh?

 

Doesn't appear anyone has ported testssl to z/OS, not that that's
necessarily hard (nor is it necessarily easy). This tool also appears to go
against a host, which doesn't help with an application connection. Kevin's
suggestion of netstat will work if you can catch it while it's failing to
connect (hint: I think that's gonna be hard).


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-22 Thread Tom Brennan 
Thanks... I need to give that a try too.  I'm already impressed with 
their clever use of Saint Helena for the URL.


On 12/22/2021 11:39 AM, Mark Regan wrote:

One tool I've used in the past is testssl


https://testssl.sh/
Testing TLS/SSL encryptiontestssl.sh is a free
 command-line tool which checks a server's
service on any port for the support of TLS/SSL ciphers, protocols as well
as recent cryptographic flaws and more.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-22 Thread Neubert, Kevin 
Did something similar a year ago.

Believe I looked at SMF119AP_LSSP.

Maybe a quicker option...

Netstat COnn with something like a POrt filter will show the 4 character cipher 
number.

Regards,

Kevin

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lizette Koehler
Sent: Wednesday, December 22, 2021 10:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Help with switching an IP:PORT to TLS V1.2

External Email Warning! This email has originated from outside of the 
Washington State Courts Network.  Do not click links or open attachments unless 
you recognize the sender, are expecting the email, and know the content is 
safe.   If a link sends you to a website where you are asked to validate using 
your Account and Password, DO NOT DO SO! Instead, report the incident.



I have an appl that needs to be TLSV1.2



I  updated PAGENT for this IP:PORT to only use TLS 1.2   and did a refresh



I am being told that despite that it is using SSLV3



How can I validate if the IP:PORT is using SSLV3 or TLS V1.2



Lizette




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help with switching an IP:PORT to TLS V1.2

2021-12-22 Thread Mark Regan 
One tool I've used in the past is testssl


https://testssl.sh/
Testing TLS/SSL encryptiontestssl.sh is a free
 command-line tool which checks a server's
service on any port for the support of TLS/SSL ciphers, protocols as well
as recent cryptographic flaws and more.

Regards,

Mark Regan, K8MTR, EN80tg
CTO1 USNR-Retired (1969-1991)
Nationwide Insurance, Retired, 1986-2017
z/OS Network Software Consultant
Contractor, Checks & Balances, Inc.
Email:marktre...@gmail.com
LinkedIn:   https://www.linkedin.com/in/mark-t-regan


On Wed, Dec 22, 2021 at 1:00 PM Lizette Koehler 
wrote:

> I have an appl that needs to be TLSV1.2
>
>
>
> I  updated PAGENT for this IP:PORT to only use TLS 1.2   and did a refresh
>
>
>
> I am being told that despite that it is using SSLV3
>
>
>
> How can I validate if the IP:PORT is using SSLV3 or TLS V1.2
>
>
>
> Lizette
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN