bvstone

V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back

Posted:

V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back

In my daily job of supporting thousands of customers all over the world with the software that I have available, I ran into an interesting issue with two customers in a row on the same day, and I'm sure more to follow.  

Each of them were using my GETURI software to communicate with servers over HTTPS.  But suddenly they started receiving the following error:

Error during SSL Handshake.  RC(-1) errno(0). There is no error.

Now, this error, if we look up the return code (which is -1), means SSL_ERROR_NO_CIPHERS.  Translated literally it means "Your system does not support the SSL ciphers in use by the server you are communicating with."

This was interesting, but not surprising.  I knew sooner or later it would happen.  SSL has been in a state of accelerated updates ever since the Heartbleed and other security holes have been found.  But in this case, The V7R1 Operating System doesn't have the newer ciphers in use by the servers that are slowly updating their SSL certificates.

What does this mean? According to IBM, it means you need to update your OS version to one that has the new ciphers (V7R2 or V7R3).  No big deal, right?  Not on paper, but anyone who's done an OS upgrade knows that it's not a simple task

Because V7R1 is still officially supported at this time, I was told that to get IBM to think about adding the fix to first create a Problem Management Report (PMR).  So, I did.  In the PMR I explained that updating the ciphers for V7R1 is necessary because it is halting business transactions with servers using the newer ciphers for SSL  Halting real "e-commerce"!  Something the platform is supposedly touted for (and I agree, it is a great machine!)

I was surprised to receive a quick response was to create a Request For Enhancement (RFE), which I did.  The RFE can then be voted on by others who feel it is a worthy cause.  At this time, we already have 37 votes (which seems like a lot since I couldn't find any others with more then 3 votes).

"Through the grapevine" I was then told that IBM has no plan on updating the ciphers for V7R1.  My immediate response was "if that's the case, why make us go through the PMR and RFE route?"

What I would rather love to tell a customer is "Yes, I understand and am familiar with the issue.  IBM, being the awesome company that they are, created this PTF you can apply to install the newer ciphers so your applications will again function!"

But, it looks like the politics of business are getting in the way.  Getting in the way of paying customers that require this update in order to function.  Without a solid answer, the customer will sit and wait for the PTF containing the cipher upgrade or a definite answer of NO in which case they can start planning the OS upgrade.  

It is odd, but I would accept "no" as the answer.  Just remember that means when I'm asked about this from one of my many customers in the future, my answer will be literally like throwing IBM under the bus for the problem in the first place.  "Yes, you need to do an OS upgrade if you want it to work.  That comes straight from IBM."

What I would rather love to tell a customer is "Yes, I understand and am familiar with the issue.  IBM, being the awesome company that they are, created this PTF you can apply to install the newer ciphers so your applications will again function!"

Of course we're also told that as long as the customer is on SWMA it's a free upgrade.  Well, that assumes a few things as well.

  1. They host their own hardware (many customers use cloud services or have other companies host their machines)
  2. Any other 3rd party software will not only function on the new OS version, but also won't require a "fee" to for the OS upgrade
  3. They have the time to shut down and do the upgrade.  Sure it sounds easy, but it's not "that" easy and can take a good weekend as well as days or weeks after chasing new bugs that may exist.

I admit that I'm probably being quite forceful about this.  That's because I value my customers and I will do anything to help them.  In this case, updating ciphers so they are current on a supported OS version doesn't sound out of the question.  And it appears most agree with this.

I will update this thread as new details emerge.  I have one customer looking into the OS version upgrade costs and hopefully they can share them.

But please, IBM, if you want your image with the IBM i to stay strong, go back to treating us like you did when it was an AS/400.  Either end support for V7R1 (which it's a little late for that now) or honor your commitment to your paying customers.  I know I would, and do.

 


Last edited 01/12/2017 at 14:57:38



Latest Posts:

MAILTOOL Updated to Allow G4GSMAIL as Option in Routers File MAILTOOL Updated to Allow G4GSMAIL as Option in Routers File
Posted by 3 days ago
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
BVSTools Now Offers Interface with Infor's ION APIs BVSTools Now Offers Interface with Infor's ION APIs
Posted by May 15, 2020
BVSTools >> BVSTools Announcements
More V7R4 IFS File CCSID Issues and The Fix More V7R4 IFS File CCSID Issues and The Fix
Posted by March 4, 2020
IBM Power Systems >> (QGPL) IBM i
Error Retrieving IP Address by Name Error Retrieving IP Address by Name
Posted by February 25, 2020
BVSTools >> BVSTools Software Discussion
Logging jobs that hit an outq Logging jobs that hit an outq
Posted by February 13, 2020
Programming >> CL Programming
GreenTools for Google Apps (G4G) v12.60 Released with Shared Drive Features and More... GreenTools for Google Apps (G4G) v12.60 Released with Shared Drive Features and More...
Posted by February 4, 2020
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Allowing Requests over Port 80 For SSL Validation (ie, Namecheap, etc) Allowing Requests over Port 80 For SSL Validation (ie, Namecheap, etc)
Posted by January 31, 2020
Programming >> Web Programming
GreenTools for Slack (G4SLK) v3.00 Released GreenTools for Slack (G4SLK) v3.00 Released
Posted by January 17, 2020
BVSTools >> BVSTools Announcements >> GreenTools for Slack (G4SLK) Specific Announcements
Calling a QSH Command from RPG Calling a QSH Command from RPG
Posted by December 26, 2019
Programming >> RPG Programming
SPLTOOL Print Range (PRTRNG) Function Updated to Handle Spooled Files up to 999,999,999 Pages SPLTOOL Print Range (PRTRNG) Function Updated to Handle Spooled Files up to 999,999,999 Pages
Posted by December 14, 2019
BVSTools >> BVSTools Announcements >> Spooled File Tools (SPLTOOL) Specific Announcements
GreenTools for Microsoft Apps (G4MS) Updated to v6.00 - Now Uses Microsoft Graph APIs GreenTools for Microsoft Apps (G4MS) Updated to v6.00 - Now Uses Microsoft Graph APIs
Posted by November 24, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
V7R4 Changes CCSID of Compressed File Using PASE JAR Command - Here's The Fix V7R4 Changes CCSID of Compressed File Using PASE JAR Command - Here's The Fix
Posted by November 21, 2019
IBM Power Systems >> (QGPL) IBM i
Using GETURI to Make OAuth 2.0 Requests - Custom Headers for Access Tokens Using GETURI to Make OAuth 2.0 Requests - Custom Headers for Access Tokens
Posted by November 11, 2019
BVSTools >> BVSTools Software Discussion >> Get URI (GETURI) Specific Discussion
GreenTools for Microsoft Apps (G4MS) v5.00 Released with Updated OneDrive Support and 3rd Party Functionality GreenTools for Microsoft Apps (G4MS) v5.00 Released with Updated OneDrive Support and 3rd Party Functionality
Posted by October 20, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
BVSTools is Now Running V7R4M0 BVSTools is Now Running V7R4M0
Posted by September 28, 2019
BVSTools >> BVSTools Announcements

Reply




Copyright 1983-2020 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).