bvstone

V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back

Posted:

V7R1 SSL Cipher Support - Another Interesting Journey, and Why I Want My AS/400 Back

In my daily job of supporting thousands of customers all over the world with the software that I have available, I ran into an interesting issue with two customers in a row on the same day, and I'm sure more to follow.  

Each of them were using my GETURI software to communicate with servers over HTTPS.  But suddenly they started receiving the following error:

Error during SSL Handshake.  RC(-1) errno(0). There is no error.

Now, this error, if we look up the return code (which is -1), means SSL_ERROR_NO_CIPHERS.  Translated literally it means "Your system does not support the SSL ciphers in use by the server you are communicating with."

This was interesting, but not surprising.  I knew sooner or later it would happen.  SSL has been in a state of accelerated updates ever since the Heartbleed and other security holes have been found.  But in this case, The V7R1 Operating System doesn't have the newer ciphers in use by the servers that are slowly updating their SSL certificates.

What does this mean? According to IBM, it means you need to update your OS version to one that has the new ciphers (V7R2 or V7R3).  No big deal, right?  Not on paper, but anyone who's done an OS upgrade knows that it's not a simple task

Because V7R1 is still officially supported at this time, I was told that to get IBM to think about adding the fix to first create a Problem Management Report (PMR).  So, I did.  In the PMR I explained that updating the ciphers for V7R1 is necessary because it is halting business transactions with servers using the newer ciphers for SSL  Halting real "e-commerce"!  Something the platform is supposedly touted for (and I agree, it is a great machine!)

I was surprised to receive a quick response was to create a Request For Enhancement (RFE), which I did.  The RFE can then be voted on by others who feel it is a worthy cause.  At this time, we already have 37 votes (which seems like a lot since I couldn't find any others with more then 3 votes).

"Through the grapevine" I was then told that IBM has no plan on updating the ciphers for V7R1.  My immediate response was "if that's the case, why make us go through the PMR and RFE route?"

What I would rather love to tell a customer is "Yes, I understand and am familiar with the issue.  IBM, being the awesome company that they are, created this PTF you can apply to install the newer ciphers so your applications will again function!"

But, it looks like the politics of business are getting in the way.  Getting in the way of paying customers that require this update in order to function.  Without a solid answer, the customer will sit and wait for the PTF containing the cipher upgrade or a definite answer of NO in which case they can start planning the OS upgrade.  

It is odd, but I would accept "no" as the answer.  Just remember that means when I'm asked about this from one of my many customers in the future, my answer will be literally like throwing IBM under the bus for the problem in the first place.  "Yes, you need to do an OS upgrade if you want it to work.  That comes straight from IBM."

What I would rather love to tell a customer is "Yes, I understand and am familiar with the issue.  IBM, being the awesome company that they are, created this PTF you can apply to install the newer ciphers so your applications will again function!"

Of course we're also told that as long as the customer is on SWMA it's a free upgrade.  Well, that assumes a few things as well.

  1. They host their own hardware (many customers use cloud services or have other companies host their machines)
  2. Any other 3rd party software will not only function on the new OS version, but also won't require a "fee" to for the OS upgrade
  3. They have the time to shut down and do the upgrade.  Sure it sounds easy, but it's not "that" easy and can take a good weekend as well as days or weeks after chasing new bugs that may exist.

I admit that I'm probably being quite forceful about this.  That's because I value my customers and I will do anything to help them.  In this case, updating ciphers so they are current on a supported OS version doesn't sound out of the question.  And it appears most agree with this.

I will update this thread as new details emerge.  I have one customer looking into the OS version upgrade costs and hopefully they can share them.

But please, IBM, if you want your image with the IBM i to stay strong, go back to treating us like you did when it was an AS/400.  Either end support for V7R1 (which it's a little late for that now) or honor your commitment to your paying customers.  I know I would, and do.

 


Last edited 01/12/2017 at 14:57:38



Latest Posts:

Why I Cancelled my DynDNS Service and How I Replaced It with an IBM i Application Why I Cancelled my DynDNS Service and How I Replaced It with an IBM i Application
Posted by 8 hours ago
IBM Power Systems >> (QGPL) IBM i
Green Tools for G Suite (G4G) Product Updates (Licensing, Functionality, Base Product) Green Tools for G Suite (G4G) Product Updates (Licensing, Functionality, Base Product)
Posted by July 13, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Reading JSON Data from Standard Input With YAJL and RPG Reading JSON Data from Standard Input With YAJL and RPG
Posted by July 12, 2019
Programming >> Proof of Concept (POC)
MAILTOOL Updated to Allow Use of IBM Global Security Kit (GSKIT) for SSL/TLS Communications MAILTOOL Updated to Allow Use of IBM Global Security Kit (GSKIT) for SSL/TLS Communications
Posted by June 19, 2019
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
GETURI v10.00 Released Supporting IBM Global Security Kit (GSKIT) and Server Name Indication (SNI) GETURI v10.00 Released Supporting IBM Global Security Kit (GSKIT) and Server Name Indication (SNI)
Posted by June 11, 2019
BVSTools >> BVSTools Announcements >> Get URI (GETURI) Specific Announcements
BVSTools Now Offers Vertex Cloud Interface BVSTools Now Offers Vertex Cloud Interface
Posted by April 15, 2019
BVSTools >> BVSTools Announcements
Token Has an Invalid Signature Error for Office 365 Email Token Has an Invalid Signature Error for Office 365 Email
Posted by March 22, 2019
BVSTools >> BVSTools Software Discussion >> GreenTools for Microsoft Apps (G4MS) Specific Discussion
Resending Emails that have Errored Out with Updated Router or Authentication Information Resending Emails that have Errored Out with Updated Router or Authentication Information
Posted by March 1, 2019
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
BVSTools Offers Toolset to Work With HubSpot OAuth 2.0 APIs On Your IBM i BVSTools Offers Toolset to Work With HubSpot OAuth 2.0 APIs On Your IBM i
Posted by January 27, 2019
BVSTools >> BVSTools Announcements
G4MSDRV Currently Not Supported G4MSDRV Currently Not Supported
Posted by January 17, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
Removing Trailing Carriage Returns and/or Line Feeds from a String with RPG Removing Trailing Carriage Returns and/or Line Feeds from a String with RPG
Posted by December 26, 2018
Programming >> RPG Programming
Create QRCODE in DDS Create QRCODE in DDS
Posted by September 21, 2018
Programming >> RPG Programming
Base64 Encoding a File with RPG Base64 Encoding a File with RPG
Posted by September 6, 2018
Programming >> RPG Programming
Building JSON with RPG and YAJL and Writing to Standard Output Building JSON with RPG and YAJL and Writing to Standard Output
Posted by August 31, 2018
Programming >> Proof of Concept (POC)
How to Delete Files or Empty Trash From Your Google Drive with your IBM i and RPG/ILE How to Delete Files or Empty Trash From Your Google Drive with your IBM i and RPG/ILE
Posted by July 24, 2018
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion

Reply




Copyright 1983-2019 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).