bvstone

V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back

Posted:

V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back

In my daily job of supporting thousands of customers all over the world with the software that I have available, I ran into an interesting issue with two customers in a row on the same day, and I'm sure more to follow.  

Each of them were using my GETURI software to communicate with servers over HTTPS.  But suddenly they started receiving the following error:

Error during SSL Handshake.  RC(-1) errno(0). There is no error.

Now, this error, if we look up the return code (which is -1), means SSL_ERROR_NO_CIPHERS.  Translated literally it means "Your system does not support the SSL ciphers in use by the server you are communicating with."

This was interesting, but not surprising.  I knew sooner or later it would happen.  SSL has been in a state of accelerated updates ever since the Heartbleed and other security holes have been found.  But in this case, The V7R1 Operating System doesn't have the newer ciphers in use by the servers that are slowly updating their SSL certificates.

What does this mean? According to IBM, it means you need to update your OS version to one that has the new ciphers (V7R2 or V7R3).  No big deal, right?  Not on paper, but anyone who's done an OS upgrade knows that it's not a simple task

Because V7R1 is still officially supported at this time, I was told that to get IBM to think about adding the fix to first create a Problem Management Report (PMR).  So, I did.  In the PMR I explained that updating the ciphers for V7R1 is necessary because it is halting business transactions with servers using the newer ciphers for SSL  Halting real "e-commerce"!  Something the platform is supposedly touted for (and I agree, it is a great machine!)

I was surprised to receive a quick response was to create a Request For Enhancement (RFE), which I did.  The RFE can then be voted on by others who feel it is a worthy cause.  At this time, we already have 37 votes (which seems like a lot since I couldn't find any others with more then 3 votes).

"Through the grapevine" I was then told that IBM has no plan on updating the ciphers for V7R1.  My immediate response was "if that's the case, why make us go through the PMR and RFE route?"

What I would rather love to tell a customer is "Yes, I understand and am familiar with the issue.  IBM, being the awesome company that they are, created this PTF you can apply to install the newer ciphers so your applications will again function!"

But, it looks like the politics of business are getting in the way.  Getting in the way of paying customers that require this update in order to function.  Without a solid answer, the customer will sit and wait for the PTF containing the cipher upgrade or a definite answer of NO in which case they can start planning the OS upgrade.  

It is odd, but I would accept "no" as the answer.  Just remember that means when I'm asked about this from one of my many customers in the future, my answer will be literally like throwing IBM under the bus for the problem in the first place.  "Yes, you need to do an OS upgrade if you want it to work.  That comes straight from IBM."

What I would rather love to tell a customer is "Yes, I understand and am familiar with the issue.  IBM, being the awesome company that they are, created this PTF you can apply to install the newer ciphers so your applications will again function!"

Of course we're also told that as long as the customer is on SWMA it's a free upgrade.  Well, that assumes a few things as well.

  1. They host their own hardware (many customers use cloud services or have other companies host their machines)
  2. Any other 3rd party software will not only function on the new OS version, but also won't require a "fee" to for the OS upgrade
  3. They have the time to shut down and do the upgrade.  Sure it sounds easy, but it's not "that" easy and can take a good weekend as well as days or weeks after chasing new bugs that may exist.

I admit that I'm probably being quite forceful about this.  That's because I value my customers and I will do anything to help them.  In this case, updating ciphers so they are current on a supported OS version doesn't sound out of the question.  And it appears most agree with this.

I will update this thread as new details emerge.  I have one customer looking into the OS version upgrade costs and hopefully they can share them.

But please, IBM, if you want your image with the IBM i to stay strong, go back to treating us like you did when it was an AS/400.  Either end support for V7R1 (which it's a little late for that now) or honor your commitment to your paying customers.  I know I would, and do.

 


Last edited 01/12/2017 at 14:57:38



Latest Posts:

Create QRCODE in DDS Create QRCODE in DDS
Posted by September 21, 2018
Programming >> RPG Programming
Base64 Encoding a File with RPG Base64 Encoding a File with RPG
Posted by September 6, 2018
Programming >> RPG Programming
Building JSON with RPG and YAJL and Writing to Standard Output Building JSON with RPG and YAJL and Writing to Standard Output
Posted by August 31, 2018
Programming >> Proof of Concept (POC)
How to Delete Files or Empty Trash From Your Google Drive with your IBM i and RPG/ILE How to Delete Files or Empty Trash From Your Google Drive with your IBM i and RPG/ILE
Posted by July 24, 2018
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion
GreenTools for G Suite (G4G) Updated to Include Delete and Empty Trash Function GreenTools for G Suite (G4G) Updated to Include Delete and Empty Trash Function
Posted by July 24, 2018
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
What to Do If Your License Keys Don't Work What to Do If Your License Keys Don't Work
Posted by July 18, 2018
BVSTools >> BVSTools Software Discussion
MAILTOOL Updated to Allow Failed Message on Invalid Recipient MAILTOOL Updated to Allow Failed Message on Invalid Recipient
Posted by May 20, 2018
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
Non HTTPS Callbacks Removed from GreenTools for G Suite (G4G) Non HTTPS Callbacks Removed from GreenTools for G Suite (G4G)
Posted by April 15, 2018
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
IBM i Related Survey Available IBM i Related Survey Available
Posted by April 7, 2018
IBM Power Systems >> (QGPL) IBM i
BVSTools Releases Braintree Webhook Open Source Application - Node.js BVSTools Releases Braintree Webhook Open Source Application - Node.js
Posted by April 5, 2018
Programming >> Open Source
BVSTools Now Offering Web Services (BETA) BVSTools Now Offering Web Services (BETA)
Posted by April 3, 2018
BVSTools >> BVSTools Announcements
Creating a Reverse SSL Proxy Using RPG on the IBM i - Part 2 Creating a Reverse SSL Proxy Using RPG on the IBM i - Part 2
Posted by March 29, 2018
Programming >> Web Programming
Still on V7R1 or Earlier?  Here's Why You Should Upgrade NOW! Still on V7R1 or Earlier? Here's Why You Should Upgrade NOW!
Posted by February 21, 2018
IBM Power Systems >> (QGPL) IBM i
Converting a MMDDYY date format to YYMMDD for Sorting Using SQL Converting a MMDDYY date format to YYMMDD for Sorting Using SQL
Posted by February 16, 2018
Programming >> RPG Programming
Moving All Files from a Google Drive Folder to the Trash Using GreenTools for Google Apps (G4G) Moving All Files from a Google Drive Folder to the Trash Using GreenTools for Google Apps (G4G)
Posted by February 3, 2018
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion

Reply




Copyright 1983-2018 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).