Topic
  • 8 replies
  • Latest Post - ‏2012-02-22T19:53:36Z by NPfister
NPfister
NPfister
43 Posts

Pinned topic IHS 5.3 and Windows 7

‏2011-12-08T19:46:04Z |
Hello,

We are using very IHS 5.3, running on z/OS 1.13 (eventually we will move to IHS 7, but at the moment, for Production, this is not an option for us). What I am wondering is if anyone has had luck getting Windows 7 to connect to an IHS 5.3 server using SSL authentication. Currently we only allow for Three Cipher Suites, 34, 35, and 3A. Windows 7 does not support (as far as I can tell) these Cipher suites. Does IHS 5.3 support any of the TLS_xxx_xxx Cipher suites?

3A - SSL_RSA_WITH_3DES_EDE_CBC_SHA
35 - SSL_RSA_WITH_RC4_128_SHA
34 - SSL_RSA_WITH_RC4_128_MD5

There are TLS equivalents of those aforementioned cipher suites, so those would be the ideal ones to know if IHS supports.

Any help is appreciated, and I thank you in advance.
Updated on 2012-02-22T19:53:36Z at 2012-02-22T19:53:36Z by NPfister
  • Sunit
    Sunit
    196 Posts

    Re: IHS 5.3 and Windows 7

    ‏2011-12-09T18:45:55Z  
    3A Triple DES SHA (192/168 bit)
    35 RC4 SHA (128 bit)
    34 RC4 MD5 (128 bit)

    These three are part of SSL V3 Cypher spec. Make sure that the browser you are using allows you to use SSL V3. It looks like your browser (most likely IE) is configured to not allow SSL V2 and V3. This is easily fixed on the Internet options -> advanced tab.

    • Sunit
  • NPfister
    NPfister
    43 Posts

    Re: IHS 5.3 and Windows 7

    ‏2011-12-12T12:59:13Z  
    • Sunit
    • ‏2011-12-09T18:45:55Z
    3A Triple DES SHA (192/168 bit)
    35 RC4 SHA (128 bit)
    34 RC4 MD5 (128 bit)

    These three are part of SSL V3 Cypher spec. Make sure that the browser you are using allows you to use SSL V3. It looks like your browser (most likely IE) is configured to not allow SSL V2 and V3. This is easily fixed on the Internet options -> advanced tab.

    • Sunit
    I guess the main problem here is our browsers (which are controlled by our LAN folks) are not set up to allow anything other than TLS for security reasons. So I guess the better question would be does IHS 5.3 support TLS?
  • Sunit
    Sunit
    196 Posts

    Re: IHS 5.3 and Windows 7

    ‏2011-12-12T14:53:46Z  
    • NPfister
    • ‏2011-12-12T12:59:13Z
    I guess the main problem here is our browsers (which are controlled by our LAN folks) are not set up to allow anything other than TLS for security reasons. So I guess the better question would be does IHS 5.3 support TLS?
    That is an interesting issue. Most organizations allow both SSL V3 and TLS on the browser side and make a determination of cypher specs at the server end based on the encryption levels desired by the sensitivity of the data transmitted. This is because TLS itself is based on SSL V3. But then that is a discussion for different thread and forum.

    According the IHS 5.3 z/OS manual the following are the only supported cypher specs -

    North American edition (U.S. and Canada)
    SSL V2:
    27 Triple DES (192/168 bit)
    21 RC4 (128 bit)
    23 RC2 (128 bit)
    26 DES (64/56 bit)
    22 RC4 (40 bit)
    24 RC2 (40 bit)

    SSL V3:
    335 AES (256 bit)
    Note: For z/OS Version 1 Release 4 and later releases
    32F AES (128 bit)
    Note: For z/OS Version 1 Release 4 and later releases
    3A Triple DES SHA (192/168 bit)
    35 RC4 SHA (128 bit)
    34 RC4 MD5 (128 bit)
    39 DES SHA (64/56 bit)
    33 RC4 MD5 (40 bit)
    36 RC2 MD5 (40 bit)
    32 NULL SHA 31 NULL MD5
    30 NULL NULL
    Note: Cipher specifications 32, 31, and 30 are standard SSL cipher specifications. However, they do not cause the data to be encrypted, and therefore do not provide data security. We only recommend them for debugging purposes.
    • Sunit
  • NPfister
    NPfister
    43 Posts

    Re: IHS 5.3 and Windows 7

    ‏2011-12-12T14:58:53Z  
    • Sunit
    • ‏2011-12-12T14:53:46Z
    That is an interesting issue. Most organizations allow both SSL V3 and TLS on the browser side and make a determination of cypher specs at the server end based on the encryption levels desired by the sensitivity of the data transmitted. This is because TLS itself is based on SSL V3. But then that is a discussion for different thread and forum.

    According the IHS 5.3 z/OS manual the following are the only supported cypher specs -

    North American edition (U.S. and Canada)
    SSL V2:
    27 Triple DES (192/168 bit)
    21 RC4 (128 bit)
    23 RC2 (128 bit)
    26 DES (64/56 bit)
    22 RC4 (40 bit)
    24 RC2 (40 bit)

    SSL V3:
    335 AES (256 bit)
    Note: For z/OS Version 1 Release 4 and later releases
    32F AES (128 bit)
    Note: For z/OS Version 1 Release 4 and later releases
    3A Triple DES SHA (192/168 bit)
    35 RC4 SHA (128 bit)
    34 RC4 MD5 (128 bit)
    39 DES SHA (64/56 bit)
    33 RC4 MD5 (40 bit)
    36 RC2 MD5 (40 bit)
    32 NULL SHA 31 NULL MD5
    30 NULL NULL
    Note: Cipher specifications 32, 31, and 30 are standard SSL cipher specifications. However, they do not cause the data to be encrypted, and therefore do not provide data security. We only recommend them for debugging purposes.
    • Sunit
    Thanks.

    That's what I thought. I had seen the documentation stating those cipher suites, but was not sure if I was missing something somewhere that talked about TLS. Apparently I did not miss anything, and TLS is indeed unsupported.

    I also assume that there are probably no plans of incorporating TLS support into IHS 5.3.

    Looks like that upgrade to IHS 7 we've been aiming to do needs to come a littler quicker.

    Thank you again for your replies.
  • Sunit
    Sunit
    196 Posts

    Re: IHS 5.3 and Windows 7

    ‏2012-02-22T16:47:01Z  
    • NPfister
    • ‏2011-12-12T14:58:53Z
    Thanks.

    That's what I thought. I had seen the documentation stating those cipher suites, but was not sure if I was missing something somewhere that talked about TLS. Apparently I did not miss anything, and TLS is indeed unsupported.

    I also assume that there are probably no plans of incorporating TLS support into IHS 5.3.

    Looks like that upgrade to IHS 7 we've been aiming to do needs to come a littler quicker.

    Thank you again for your replies.
    Take a look at APAR PK53555
    https://www-304.ibm.com/support/docview.wss?uid=isg1PK53555

    I think this PTF allows you to enable TLS with the three Cipher Specs.

    • Sunit
  • NPfister
    NPfister
    43 Posts

    Re: IHS 5.3 and Windows 7

    ‏2012-02-22T18:18:12Z  
    • Sunit
    • ‏2012-02-22T16:47:01Z
    Take a look at APAR PK53555
    https://www-304.ibm.com/support/docview.wss?uid=isg1PK53555

    I think this PTF allows you to enable TLS with the three Cipher Specs.

    • Sunit
    My issue with any of the Ciphers that are available is that they don't match up to what is enabled for our network. Those ciphers I had enabled are SSLv3 Ciphers, although they work with TLS, they don't match what Windows sees (rather than start with SSL_ Windows starts them with TLS_ and they don't match.)

    I tried coding SSLCipherSpec 3A 35 36 T1, but had no luck (that PTF is installed).

    I have IHS 7 installed and running, so it's no big deal any more.
  • Sunit
    Sunit
    196 Posts

    Re: IHS 5.3 and Windows 7

    ‏2012-02-22T18:33:43Z  
    • NPfister
    • ‏2012-02-22T18:18:12Z
    My issue with any of the Ciphers that are available is that they don't match up to what is enabled for our network. Those ciphers I had enabled are SSLv3 Ciphers, although they work with TLS, they don't match what Windows sees (rather than start with SSL_ Windows starts them with TLS_ and they don't match.)

    I tried coding SSLCipherSpec 3A 35 36 T1, but had no luck (that PTF is installed).

    I have IHS 7 installed and running, so it's no big deal any more.
    Have you changed the sslmode directive to multi? This is required.

    • Sunit
  • NPfister
    NPfister
    43 Posts

    Re: IHS 5.3 and Windows 7

    ‏2012-02-22T19:53:36Z  
    • Sunit
    • ‏2012-02-22T18:33:43Z
    Have you changed the sslmode directive to multi? This is required.

    • Sunit
    I'm not sure that when I had tried coding the T1 that I had that enabled. I would have to look through my old conf files, if they havne't been deleted.

    We're live on IHS 7 now, so my IHS 5.3 stuff has been disappearing on me.