scottklement.com

IBM i Discussion Forums
https://www.scottklement.com/forums/

TLS Protocol

https://www.scottklement.com/forums/viewtopic.php?t=69

Page 1 of 1

TLS Protocol

Posted: Mon Dec 06, 2021 8:53 pm
by dstrawn
How do you change the TLS version in the https_init procedure or does it just work with 1.0?

Re: TLS Protocol

Posted: Mon Dec 06, 2021 9:07 pm
by Scott Klement
Normally, it automatically negotiates the best TLS version and ciphers to use -- you don't have to set anything. Instead, configure the versions you would like to support in the IBM i system values.

On the other hand, if you don't want to force a specific connection to only use particular versions, you can do that with https_init. I would recommend this, because it will require changes to your programs periodically (the old versions get phased out, and new versions get phased in... better to set this in system values where it can be configured for everything in one place.)

But, if you must... there's an indicator for each version, you can turn them on/off:

Code: Select all

      https_init( *blanks      // App ID
                : *off         // SSLv2 -- not considered secure, anymore.
                : *off         // SSLv3 -- not considered secure, anymore.
                : *off         // TLSv1 -- weak security, but better than nothing
                : *on          // TLSv1.1 -- okay... for old sites
                : *on:         // TLSv1.2 -- pretty good
                : *on);        // TLSv1.3 -- best
Make sure your HTTPAPI is up to date, and see the comments about https_init() in HTTPAPI_H for details.

Re: TLS Protocol

Posted: Tue Dec 07, 2021 9:40 pm
by dstrawn
Scott,
the https_init prototype in HTTPAPI_H only has 3 parms in the version we have...
D https_init PR 10I 0
D peAppID 100A const
D peSSLv2 1N const options(*nopass)
D peSSLv3 1N const options(*nopass)
D peTLSv1 1N const options(*nopass)
Do we have a really old version?

When calling it we have the parms set as follows:
c eval rc = https_init(APP_ID : *Off : *On :
c *Off)
will the *Off setting for TLS effectively default to whatever we have configured in the IBM i system?

Re: TLS Protocol

Posted: Wed Dec 08, 2021 3:11 am
by Scott Klement
Yes, you have an old version...

No, setting it to *OFF won't tell it to use the system value. Setting it *OFF disables that protocol.

Re: TLS Protocol

Posted: Wed Dec 08, 2021 2:16 pm
by dstrawn
Got it! thanks!
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited