[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: FW: Cypher suite
From: Bob Bridges <robhbridges () GMAIL ! COM>
Date: 2017-09-07 18:16:05
Message-ID: 063701d32805$5f96eb30$1ec4c190$ () gmail ! com
[Download RAW message or body]
Dan Rivera found he's unable to post to RACF-L and asks me to pass on the \
contributions he sent me privately:
---
Bob Bridges
robhbridges@gmail.com, cell 336 382-7313
rbridges@InfoSecInc.com
/* The horror of the Same Old Thing is one of the most valuable passions we have \
produced in the human heart -- an endless source of heresies in religion, folly in \
counsel, infidelity in marriage, and inconstancy in friendship. -advice to a \
tempter, from The Screwtape Letters by C S Lewis */
-----Original Message-----
From: Rivera, Dan [mailto:Dan_Rivera@unigroup.com]
Sent: Thursday, September 7, 2017 14:00
That's funny.
If netstat ttls did return anything, if could be because pagent isn't running...or \
pagent could be up, but TTLS isn't enabled in TCPIP.
So yeah, go ahead and see if TLS is even enabled in TCPIP: D TCPIP,,N,CONFIG
If TTLS enabled, then look for this message in the TCPIP jes2 log:
EZZ4250I AT-TLS SERVICES ARE AVAILABLE FOR TCPIP
...also, go into SDSF and look for an address space called PAGENT*
Dan Rivera
UniGroup Tech Services
-----Original Message-----
From: Bob Bridges [mailto:robhbridges@gmail.com]
Sent: Thursday, September 07, 2017 12:46 PM
Thanks, Dan. NETSTAT says this:
MVS TCP/IP NETSTAT CS V2R2 TCPIP Name: TCPIP 17:28:20
TTLSGrpAction Group ID Conns
---------------------------------------- ----------------- -----
An empty listing, in other words. Does that mean there's no point in checking "the \
TCPIP address space"? Because I don't know how (I came into security from the \
developers rather than from the systems guys) - but I'm nowhere near tired of \
learning new things if I should.
-----Original Message-----
From: Rivera, Dan [mailto:Dan_Rivera@unigroup.com]
Sent: Thursday, September 7, 2017 13:26
Or issue the command D TCPIP,,N,CONFIG
...and is if TTLS is even enabled => TTLS: NO
If TTLS is enabled, then you can also use this command to see if pagent even knows \
about any groups: tso netstat TTLS group
-----Original Message-----
From: Rivera, Dan
Sent: Thursday, September 07, 2017 12:08 PM
Look at the TCPIP address space for the msg:
EZZ4250I AT-TLS SERVICES ARE AVAILABLE FOR TCPIP
...or try: tso netstat TTLS
-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of Jim Taylor
Sent: Thursday, September 07, 2017 11:34 AM
Bob, the PAGENT config can be stored anywhere, even in a dataset - you should see if \
there is a PAGENT STC running first of all. If there have a look at what is specified \
there.
--- On 7 Sep 2017, 17:13 +0100, Bob Bridges <robhbridges@GMAIL.COM>, wrote:
> Another poster mentioned PAGENT too, specifying "/etc/pagent_TTLS.conf
> (or whatever include file is specified in /etc/pagent.conf)". I know
> just enough about OMVS to get in, find the /etc folder and do an ls
> command; nothing there named pa-anything. That would mean PAGENT isn't
> running, right?
>
> According to one source, the remaining determinant of available
> ciphers is the ENCRYPTION statement in the TN3270 parms. I found
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.i
> bm.com%2Fsupport%2Fknowledgecenter%2FSSLTBW_2.1.0%2Fcom.ibm.zos.v2r1.h
> a&data=01%7C01%7CDan_Rivera%40unigroup.com%7C26ff1505c463408a2eef08d4f
> 60e423c%7C259bdc2f86d3477b8cb34eee64289142%7C1&sdata=%2FudbiBj3Wdu48AG
> ch9hG8%2Far8bUHZFd5%2BMawKmhm7Y8%3D&reserved=0
> lz001/telnetencryptionstatement.htm, and it says the available ciphers are:
>
> cipher_spec Telnet Abbr Cipher nbr
> -------------- ----------- ----------
> SSL_RC4_SHA 4S 05
> SSL_RC4_MD5 4M 04
> SSL_AES_256_SHA A2 35
> SSL_AES_128_SHA A1 2F
> SSL_3DES_SHA 3S 0A
> SSL_DES_SHA DS 09
> SSL_RC4_MD5_EX 4E 03
> SSL_RC2_MD5_EX 2E 06
> SSL_NULL_SHA NS 02
> SSL_NULL_MD5 NM 01
> SSL_NULL_Null NN 00
>
> I'm not willing to believe that without some strenuous reässurances; I
> figure there must be more encryption schemes available than that. Am I
> looking at the wrong manual, on old one perhaps?
>
> -----Original Message-----
> From: Sokolsky, Hayim Z.
> Sent: Wednesday, September 6, 2017 15:46
>
> PAGENT - policy agent, part of TCP/IP. It has its own config in which
> you define which cipher suites cipher suites are acceptable. It is
> something that needs to be tuned occasionally to enable or disable
> cipher suites which should or should not be allowed in your environment.
>
> -----Original Message-----
> From: Mark Jacobs - Listserv
> Sent: Wednesday, September 6, 2017 14:47
>
> TCP/IP Configuration most likely. Check with your networking team.
>
> > --- Bob Bridges <mailto:robhbridges@GMAIL.COM> September 6, 2017 at 2:45 PM
> > I'm pretty sure this will turn out to do not with RACF but with
> > configuration in Telnet or something similar, but in ignorance I
> > start here: We're trying to get an upgraded version of our Telnet
> > emulator to do a handshake with the mainframe. A Wireshark analysis
> > says the following:
> >
> > /* Quote begins */
> > ....The Reflection client attempts to make a TLS 1.2 connection on
> > port 2024 and offers the following Cipher Suites (38 suites):
> > Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5) Cipher
> > Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3) Cipher Suite:
> > TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1) Cipher Suite:
> > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite:
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite:
> > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a) Cipher Suite:
> > TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069) Cipher Suite:
> > TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068) Cipher Suite:
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite:
> > TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite:
> > TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037) Cipher Suite:
> > TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036) Cipher Suite:
> > TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite:
> > TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite:
> > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite:
> > TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4) Cipher Suite:
> > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite:
> > TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0) Cipher Suite:
> > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite:
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite:
> > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite:
> > TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f) Cipher Suite:
> > TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e) Cipher Suite:
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite:
> > TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite:
> > TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031) Cipher Suite:
> > TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030) Cipher Suite:
> > TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite:
> > TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite:
> > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite:
> > TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite:
> > TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite:
> > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite:
> > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite:
> > TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010) Cipher Suite:
> > TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d) Cipher Suite:
> > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite:
> > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> >
> > The Host then responds with a fatal Error:
> > Description: Handshake Failure (40)
> > Which stands for "No Cypher Overlap", meaning I do not have any
> > ciphers that match with the list you gave me so I cannot communicate
> > securely. This exchange is denoted in packet's 16 and 17 of the
> > Wireshark trace...
> > /* Quote ends
> >
> > My own belief is that this isn't something we can blame on the
> > client; it has to be something we need to configure differently on
> > the mainframe side. Probably not in RACF...but where? Someone who
> > knows, please point me to the relevant documentation.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic