Forums >> IBM Power Systems >> (QGPL) IBM i >>
V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back



Posted:
bvstone

V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back

 
V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back

In my daily job of supporting thousands of customers all over the world with the software that I have available, I ran into an interesting issue with two customers in a row on the same day, and I'm sure more to follow.  

Each of them were using my GETURI software to communicate with servers over HTTPS.  But suddenly they started receiving the following error:

Error during SSL Handshake.  RC(-1) errno(0). There is no error.

Now, this error, if we look up the return code (which is -1), means SSL_ERROR_NO_CIPHERS.  Translated literally it means "Your system does not support the SSL ciphers in use by the server you are communicating with."

This was interesting, but not surprising.  I knew sooner or later it would happen.  SSL has been in a state of accelerated updates ever since the Heartbleed and other security holes have been found.  But in this case, The V7R1 Operating System doesn't have the newer ciphers in use by the servers that are slowly updating their SSL certificates.

What does this mean? According to IBM, it means you need to update your OS version to one that has the new ciphers (V7R2 or V7R3).  No big deal, right?  Not on paper, but anyone who's done an OS upgrade knows that it's not a simple task

Because V7R1 is still officially supported at this time, I was told that to get IBM to think about adding the fix to first create a Problem Management Report (PMR).  So, I did.  In the PMR I explained that updating the ciphers for V7R1 is necessary because it is halting business transactions with servers using the newer ciphers for SSL  Halting real "e-commerce"!  Something the platform is supposedly touted for (and I agree, it is a great machine!)

I was surprised to receive a quick response was to create a Request For Enhancement (RFE), which I did.  The RFE can then be voted on by others who feel it is a worthy cause.  At this time, we already have 37 votes (which seems like a lot since I couldn't find any others with more then 3 votes).

"Through the grapevine" I was then told that IBM has no plan on updating the ciphers for V7R1.  My immediate response was "if that's the case, why make us go through the PMR and RFE route?"

What I would rather love to tell a customer is "Yes, I understand and am familiar with the issue.  IBM, being the awesome company that they are, created this PTF you can apply to install the newer ciphers so your applications will again function!"

But, it looks like the politics of business are getting in the way.  Getting in the way of paying customers that require this update in order to function.  Without a solid answer, the customer will sit and wait for the PTF containing the cipher upgrade or a definite answer of NO in which case they can start planning the OS upgrade.  

It is odd, but I would accept "no" as the answer.  Just remember that means when I'm asked about this from one of my many customers in the future, my answer will be literally like throwing IBM under the bus for the problem in the first place.  "Yes, you need to do an OS upgrade if you want it to work.  That comes straight from IBM."

What I would rather love to tell a customer is "Yes, I understand and am familiar with the issue.  IBM, being the awesome company that they are, created this PTF you can apply to install the newer ciphers so your applications will again function!"

Of course we're also told that as long as the customer is on SWMA it's a free upgrade.  Well, that assumes a few things as well.

  1. They host their own hardware (many customers use cloud services or have other companies host their machines)
  2. Any other 3rd party software will not only function on the new OS version, but also won't require a "fee" to for the OS upgrade
  3. They have the time to shut down and do the upgrade.  Sure it sounds easy, but it's not "that" easy and can take a good weekend as well as days or weeks after chasing new bugs that may exist.

I admit that I'm probably being quite forceful about this.  That's because I value my customers and I will do anything to help them.  In this case, updating ciphers so they are current on a supported OS version doesn't sound out of the question.  And it appears most agree with this.

I will update this thread as new details emerge.  I have one customer looking into the OS version upgrade costs and hopefully they can share them.

But please, IBM, if you want your image with the IBM i to stay strong, go back to treating us like you did when it was an AS/400.  Either end support for V7R1 (which it's a little late for that now) or honor your commitment to your paying customers.  I know I would, and do.

 


Last edited 01/12/2017 at 14:57:38


Reply




Copyright 1983-2017 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).