Discussion:
IBM MQ, SSL and the PODLE Attack
Potkay, Peter M (CTO Architecture + Engineering)
2014-10-20 16:46:59 UTC
Permalink
This just came out from IBM on how MQ is impacted by POODLE:

http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E


Still waiting for the WMB TechNote on POODLE.



Peter Potkay

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Istvan M.
2014-10-20 18:23:23 UTC
Permalink
Hello List,

I've been waiting for this technote, really, we suspected that enabling
SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good
for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected
(seems no exceptions, everything is affected if it uses SSLv3).

On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture +
Post by Potkay, Peter M (CTO Architecture + Engineering)
http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E
Still waiting for the WMB TechNote on POODLE.
*Peter Potkay *
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Istvan M.
2014-10-21 17:48:11 UTC
Permalink
Hello List,

just tested on Linux with a small script provided by RedHat.

QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 - Vulnerable! SSLv3 connection established using
SSLv3/AES128-SHA

QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 - Not vulnerable. Failed to establish SSLv3 connection.

poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"

So enabling FIPS mode really solves this vulnerability.
Post by Istvan M.
Hello List,
I've been waiting for this technote, really, we suspected that enabling
SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good
for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected
(seems no exceptions, everything is affected if it uses SSLv3).
On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture +
Post by Potkay, Peter M (CTO Architecture + Engineering)
http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E
Still waiting for the WMB TechNote on POODLE.
*Peter Potkay *
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Neil Casey
2014-10-21 20:58:26 UTC
Permalink
Hi,

thanks for your work, and for publishing the results.

I would just like to ask
 what was the cipher spec defined in the channel?

Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.

Regards,

Neil Casey.
Post by Istvan M.
Hello List,
just tested on Linux with a small script provided by RedHat.
QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 <http://127.0.0.1:1414/> - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA
QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 <http://127.0.0.1:1414/> - Not vulnerable. Failed to establish SSLv3 connection.
poodle.sh: https://access.redhat.com/articles/1232123 <https://access.redhat.com/articles/1232123> at "attachments"
So enabling FIPS mode really solves this vulnerability.
Hello List,
I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).
http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E <http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E>
Still waiting for the WMB TechNote on POODLE.
Peter Potkay
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Potkay, Peter M (CTO Architecture + Engineering)
2014-10-21 21:19:41 UTC
Permalink
Would it be accurate to say
If your QM is running with SSLFIPS(YES) you are not vulnerable to POODLE, but you do not necessarily need to be SSL FIPS compliant to remediate the POODLE attack.

Peter Potkay

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Neil Casey
Sent: Tuesday, October 21, 2014 4:58 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: IBM MQ, SSL and the PODLE Attack

Hi,

thanks for your work, and for publishing the results.

I would just like to ask
 what was the cipher spec defined in the channel?

Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.

Regards,

Neil Casey.


On 22 Oct 2014, at 4:48 am, Istvan M. <***@GMAIL.COM<mailto:***@GMAIL.COM>> wrote:

Hello List,

just tested on Linux with a small script provided by RedHat.

QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414<http://127.0.0.1:1414/> - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA

QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414<http://127.0.0.1:1414/> - Not vulnerable. Failed to establish SSLv3 connection.

poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"

So enabling FIPS mode really solves this vulnerability.

On Mon, Oct 20, 2014 at 8:23 PM, Istvan M. <***@gmail.com<mailto:***@gmail.com>> wrote:
Hello List,

I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).

On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture + Engineering) <***@thehartford.com<mailto:***@thehartford.com>> wrote:
This just came out from IBM on how MQ is impacted by POODLE:

http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E


Still waiting for the WMB TechNote on POODLE.



Peter Potkay

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>


________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************


To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
d***@public.gmane.org
2014-10-21 23:34:12 UTC
Permalink
yes, AFAIK you just need to use a TLS cipherspec

----- Original Message -----

From: "Peter M Potkay (CTO Architecture + Engineering)" <***@THEHARTFORD.COM>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Sent: Tuesday, October 21, 2014 5:19:41 PM
Subject: Re: IBM MQ, SSL and the PODLE Attack



Would it be accurate to say
If your QM is running with SSLFIPS(YES) you are not vulnerable to POODLE, but you do not necessarily need to be SSL FIPS compliant to remediate the POODLE attack.




Peter Potkay





From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Neil Casey
Sent: Tuesday, October 21, 2014 4:58 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack




Hi,





thanks for your work, and for publishing the results.





I would just like to ask
 what was the cipher spec defined in the channel?





Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.





Regards,





Neil Casey.











On 22 Oct 2014, at 4:48 am, Istvan M. < ipl873-8a+***@public.gmane.org > wrote:





Hello List,





just tested on Linux with a small script provided by RedHat.





QMNAME(QM1V701) SSLFIPS(NO)


-bash-4.1$ ./poodle.sh


127.0.0.1:1414 - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA





QMNAME(QM1V701) SSLFIPS(YES)


-bash-4.1$ ./poodle.sh


127.0.0.1:1414 - Not vulnerable. Failed to establish SSLv3 connection.





poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"





So enabling FIPS mode really solves this vulnerability.





On Mon, Oct 20, 2014 at 8:23 PM, Istvan M. < ipl873-***@public.gmane.org > wrote:


Hello List,





I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.


Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).





On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture + Engineering) < Peter.Potkay-***@public.gmane.org > wrote:


This just came out from IBM on how MQ is impacted by POODLE:



http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E





Still waiting for the WMB TechNote on POODLE.







Peter Potkay




************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************






List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
--
Üdvözlettel / Best regards,


Melich István / Istvan Melich
--
Best regards / Üdvözlettel,


MELICH, István






List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com












List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

List Archive - Manage Your List Settings - Unsubscribe

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com


To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Tim Zielke
2014-10-22 01:00:54 UTC
Permalink
It looks like POODLE has caused the security community to put the fork in SSL. We just have TLS from here on out, for “secure” MQ ciphers.

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of ***@COMCAST.NET
Sent: Tuesday, October 21, 2014 6:34 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: IBM MQ, SSL and the PODLE Attack

yes, AFAIK you just need to use a TLS cipherspec

________________________________
From: "Peter M Potkay (CTO Architecture + Engineering)" <***@THEHARTFORD.COM<mailto:***@THEHARTFORD.COM>>
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Sent: Tuesday, October 21, 2014 5:19:41 PM
Subject: Re: IBM MQ, SSL and the PODLE Attack

Would it be accurate to say
If your QM is running with SSLFIPS(YES) you are not vulnerable to POODLE, but you do not necessarily need to be SSL FIPS compliant to remediate the POODLE attack.

Peter Potkay

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Neil Casey
Sent: Tuesday, October 21, 2014 4:58 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: IBM MQ, SSL and the PODLE Attack

Hi,

thanks for your work, and for publishing the results.

I would just like to ask
 what was the cipher spec defined in the channel?

Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.

Regards,

Neil Casey.


On 22 Oct 2014, at 4:48 am, Istvan M. <***@GMAIL.COM<mailto:***@GMAIL.COM>> wrote:

Hello List,

just tested on Linux with a small script provided by RedHat.

QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414<http://127.0.0.1:1414/> - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA

QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414<http://127.0.0.1:1414/> - Not vulnerable. Failed to establish SSLv3 connection.

poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"

So enabling FIPS mode really solves this vulnerability.

On Mon, Oct 20, 2014 at 8:23 PM, Istvan M. <***@gmail.com<mailto:***@gmail.com>> wrote:
Hello List,

I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).

On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture + Engineering) <***@thehartford.com<mailto:***@thehartford.com>> wrote:
This just came out from IBM on how MQ is impacted by POODLE:

http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E


Still waiting for the WMB TechNote on POODLE.



Peter Potkay

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>


________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>


________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Istvan M.
2014-10-22 13:07:29 UTC
Permalink
Hello,

actually, need or don't need, it depends on the environment where you want
to use the new cipherspec, if you check this page:
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzas.doc/sy12870_.htm?cp=SSFKSJ_7.0.1%2F0-19-6-16-0
the TLS cipherspecs with "no fips mode required" are not available for all
platforms, for example:
TLS_RSA_WITH_NULL_SHA256 is only for Windows and un*x
TLS_RSA_WITH_DES_CBC_SHA is not available on z/OS
TLS_RSA_WITH_RC4_128_MD5 is only for i5/OS

If you want to use the cipherspec which is available for distributed, Z and
i, these are:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
both need FIPS mode. As our MQ peers run on distributed, Z and i, the above
two what we can choose.

If you're lucky and don't deal with all, then you can choose other
cipherspecs.

Reg. to TLS_RSA_WITH_AES_256_CBC_SHA, Note: This CipherSpec cannot be used
to secure a connection from the WebSphere MQ Explorer to a queue manager
unless the appropriate unrestricted policy files are applied to the JRE
used by the Explorer.

This is also true for Java clients come through SVRCONN channels, we found
the Java policy files have to be updated at client app side to use this
cipherspec on server conn. channels.
Post by d***@public.gmane.org
yes, AFAIK you just need to use a TLS cipherspec
------------------------------
*From: *"Peter M Potkay (CTO Architecture + Engineering)" <
*Sent: *Tuesday, October 21, 2014 5:19:41 PM
*Subject: *Re: IBM MQ, SSL and the PODLE Attack
Would it be accurate to say
If your QM is running with SSLFIPS(YES) you
are not vulnerable to POODLE, but you do not necessarily need to be SSL
FIPS compliant to remediate the POODLE attack.
*Peter Potkay *
Behalf Of *Neil Casey
*Sent:* Tuesday, October 21, 2014 4:58 PM
*Subject:* Re: IBM MQ, SSL and the PODLE Attack
Hi,
thanks for your work, and for publishing the results.
I would just like to ask
 what was the cipher spec defined in the channel?
Successfully establishing an MQ channel requires more than just the SSL
session. The negotiated cipher has to match the SSLCIPH value too.
Regards,
Neil Casey.
Hello List,
just tested on Linux with a small script provided by RedHat.
QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 - Vulnerable! SSLv3 connection established using
SSLv3/AES128-SHA
QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 - Not vulnerable. Failed to establish SSLv3 connection.
poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"
So enabling FIPS mode really solves this vulnerability.
Hello List,
I've been waiting for this technote, really, we suspected that enabling
SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good
for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected
(seems no exceptions, everything is affected if it uses SSLv3).
On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture +
http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E
Still waiting for the WMB TechNote on POODLE.
*Peter Potkay *
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
--
Best regards / Üdvözlettel,
MELICH, István

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Istvan M.
2014-10-22 13:20:18 UTC
Permalink
Hello Peter,

right, please find my comments on this matter in my other mail. Btw, I
think it's not a good idea to choose a weak, TLS but not-FIPS cipherspec,
such as TLS_RSA_WITH_DES_CBC_SHA, or *NULL* ciphers. After Heartbleed and
POODLE, companies started focusing on security, sooner or later FIPS will
be a mandatory.

On Tue, Oct 21, 2014 at 11:19 PM, Potkay, Peter M (CTO Architecture +
Post by Potkay, Peter M (CTO Architecture + Engineering)
Would it be accurate to say
If your QM is running with SSLFIPS(YES) you
are not vulnerable to POODLE, but you do not necessarily need to be SSL
FIPS compliant to remediate the POODLE attack.
*Peter Potkay *
Behalf Of *Neil Casey
*Sent:* Tuesday, October 21, 2014 4:58 PM
*Subject:* Re: IBM MQ, SSL and the PODLE Attack
Hi,
thanks for your work, and for publishing the results.
I would just like to ask
 what was the cipher spec defined in the channel?
Successfully establishing an MQ channel requires more than just the SSL
session. The negotiated cipher has to match the SSLCIPH value too.
Regards,
Neil Casey.
Hello List,
just tested on Linux with a small script provided by RedHat.
QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 - Vulnerable! SSLv3 connection established using
SSLv3/AES128-SHA
QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 - Not vulnerable. Failed to establish SSLv3 connection.
poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"
So enabling FIPS mode really solves this vulnerability.
Hello List,
I've been waiting for this technote, really, we suspected that enabling
SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good
for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected
(seems no exceptions, everything is affected if it uses SSLv3).
On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture +
http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E
Still waiting for the WMB TechNote on POODLE.
*Peter Potkay *
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
--
Best regards / Üdvözlettel,
MELICH, István

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Potkay, Peter M (CTO Architecture + Engineering)
2014-10-22 14:17:45 UTC
Permalink
Thanks Istvan for the link to that Red Hat Poodle test script. Very useful for testing internal facing MQ ports (and WMB, DataPower, etc).

For external facing ports (DataPower XG45, MQIPT), this site has a very thorough tester:
https://www.ssllabs.com/ssltest/



Peter Potkay

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Istvan M.
Sent: Wednesday, October 22, 2014 9:20 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: IBM MQ, SSL and the PODLE Attack

Hello Peter,

right, please find my comments on this matter in my other mail. Btw, I think it's not a good idea to choose a weak, TLS but not-FIPS cipherspec, such as TLS_RSA_WITH_DES_CBC_SHA, or *NULL* ciphers. After Heartbleed and POODLE, companies started focusing on security, sooner or later FIPS will be a mandatory.

On Tue, Oct 21, 2014 at 11:19 PM, Potkay, Peter M (CTO Architecture + Engineering) <***@thehartford.com<mailto:***@thehartford.com>> wrote:
Would it be accurate to say
If your QM is running with SSLFIPS(YES) you are not vulnerable to POODLE, but you do not necessarily need to be SSL FIPS compliant to remediate the POODLE attack.

Peter Potkay

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>] On Behalf Of Neil Casey
Sent: Tuesday, October 21, 2014 4:58 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: IBM MQ, SSL and the PODLE Attack

Hi,

thanks for your work, and for publishing the results.

I would just like to ask
 what was the cipher spec defined in the channel?

Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.

Regards,

Neil Casey.


On 22 Oct 2014, at 4:48 am, Istvan M. <***@GMAIL.COM<mailto:***@GMAIL.COM>> wrote:

Hello List,

just tested on Linux with a small script provided by RedHat.

QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414<http://127.0.0.1:1414/> - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA

QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414<http://127.0.0.1:1414/> - Not vulnerable. Failed to establish SSLv3 connection.

poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"

So enabling FIPS mode really solves this vulnerability.

On Mon, Oct 20, 2014 at 8:23 PM, Istvan M. <***@gmail.com<mailto:***@gmail.com>> wrote:
Hello List,

I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).

On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture + Engineering) <***@thehartford.com<mailto:***@thehartford.com>> wrote:
This just came out from IBM on how MQ is impacted by POODLE:

http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E


Still waiting for the WMB TechNote on POODLE.



Peter Potkay

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>


________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
--
Best regards / Üdvözlettel,
MELICH, István

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************


To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Istvan M.
2014-10-22 13:08:40 UTC
Permalink
Hello Neil,

I set up TLS_RSA_WITH_AES_256_CBC_SHA on the channels.
Post by Neil Casey
Hi,
thanks for your work, and for publishing the results.
I would just like to ask
 what was the cipher spec defined in the channel?
Successfully establishing an MQ channel requires more than just the SSL
session. The negotiated cipher has to match the SSLCIPH value too.
Regards,
Neil Casey.
Hello List,
just tested on Linux with a small script provided by RedHat.
QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 - Vulnerable! SSLv3 connection established using
SSLv3/AES128-SHA
QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 - Not vulnerable. Failed to establish SSLv3 connection.
poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"
So enabling FIPS mode really solves this vulnerability.
Post by Istvan M.
Hello List,
I've been waiting for this technote, really, we suspected that enabling
SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good
for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also
affected (seems no exceptions, everything is affected if it uses SSLv3).
On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture +
Post by Potkay, Peter M (CTO Architecture + Engineering)
http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E
Still waiting for the WMB TechNote on POODLE.
*Peter Potkay *
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
--
Best regards / Üdvözlettel,
MELICH, István

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
David Awerbuch (BLOOMBERG/ 120 PARK)
2014-10-22 13:21:34 UTC
Permalink
Is there a definitive list of the TLS cipherspecs?

We are running 7.5 mgrs, our connection partners are running server 8.0, 7.5, 7.1, 7.0, and a few are still at 6.0.
Customer client verions are across the spectrum.

Thanks.
Dave

----- Original Message -----
From: ***@LISTSERV.MEDUNIWIEN.AC.AT
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
At: Oct 21 2014 21:01:14



It looks like POODLE has caused the security community to put the fork in SSL. We just have TLS from here on out, for “secure” MQ ciphers.


From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of ***@COMCAST.NET
Sent: Tuesday, October 21, 2014 6:34 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: IBM MQ, SSL and the PODLE Attack


yes, AFAIK you just need to use a TLS cipherspec



From: "Peter M Potkay (CTO Architecture + Engineering)" <***@THEHARTFORD.COM>
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Sent: Tuesday, October 21, 2014 5:19:41 PM
Subject: Re: IBM MQ, SSL and the PODLE Attack


Would it be accurate to say
If your QM is running with SSLFIPS(YES) you are not vulnerable to POODLE, but you do not necessarily need to be SSL FIPS compliant to remediate the POODLE attack.


Peter Potkay


From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Neil Casey
Sent: Tuesday, October 21, 2014 4:58 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: IBM MQ, SSL and the PODLE Attack

Hi,



thanks for your work, and for publishing the results.



I would just like to ask
 what was the cipher spec defined in the channel?



Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.



Regards,



Neil Casey.






On 22 Oct 2014, at 4:48 am, Istvan M. <***@GMAIL.COM> wrote:


Hello List,



just tested on Linux with a small script provided by RedHat.



QMNAME(QM1V701) SSLFIPS(NO)

-bash-4.1$ ./poodle.sh

127.0.0.1:1414 - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA



QMNAME(QM1V701) SSLFIPS(YES)

-bash-4.1$ ./poodle.sh

127.0.0.1:1414 - Not vulnerable. Failed to establish SSLv3 connection.



poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"



So enabling FIPS mode really solves this vulnerability.



On Mon, Oct 20, 2014 at 8:23 PM, Istvan M. <***@gmail.com> wrote:

Hello List,



I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.

Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).



On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture + Engineering) <***@thehartford.com> wrote:

This just came out from IBM on how MQ is impacted by POODLE:

http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E


Still waiting for the WMB TechNote on POODLE.



Peter Potkay

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************


List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich



--


Best regards / Üdvözlettel,
MELICH, István


List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com




List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************


List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com




List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com



<< "Once the game is over, the king and the pawn go back into the same box." - Anon >>

To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Tim Zielke
2014-10-22 13:43:25 UTC
Permalink
My understanding is that any cipher that uses the TLS protocol would remediate POODLE. I used the MQ v8 manual which lists what protocol (i.e. SSL v3, TLS 1.0, TLS 1.2) the cipher is using -> http://www-01.ibm.com/support/knowledgecenter/#!/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_copy.htm.

As Isvtan mentioned, it would be better to also choose a TLS cipher that is also FIPS compliant. The IBM MQ security bulletin for POODLE tells you which TLS ciphers are not FIPS compliant -> http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E

This is my understanding of POODLE based on the research I have done. POODLE (Padding Oracle on Downgraded Legacy Encryption) is a new security vulnerability on SSL v3. Padding Oracle is the method to do the security breach. Downgraded Legacy Encryption is SSL v3. Since SSL v3 is no longer supported, the security community has basically “pulled the plug” on SSL v3.


From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of David Awerbuch (BLOOMBERG/ 120 PARK)
Sent: Wednesday, October 22, 2014 8:22 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: IBM MQ, SSL and the PODLE Attack

Is there a definitive list of the TLS cipherspecs?

We are running 7.5 mgrs, our connection partners are running server 8.0, 7.5, 7.1, 7.0, and a few are still at 6.0.
Customer client verions are across the spectrum.

Thanks.
Dave
----- Original Message -----
From: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
At: Oct 21 2014 21:01:14
It looks like POODLE has caused the security community to put the fork in SSL. We just have TLS from here on out, for “secure” MQ ciphers.

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of ***@COMCAST.NET<mailto:***@COMCAST.NET>
Sent: Tuesday, October 21, 2014 6:34 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: IBM MQ, SSL and the PODLE Attack

yes, AFAIK you just need to use a TLS cipherspec

________________________________
From: "Peter M Potkay (CTO Architecture + Engineering)" <***@THEHARTFORD.COM<mailto:***@THEHARTFORD.COM>>
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Sent: Tuesday, October 21, 2014 5:19:41 PM
Subject: Re: IBM MQ, SSL and the PODLE Attack

Would it be accurate to say
If your QM is running with SSLFIPS(YES) you are not vulnerable to POODLE, but you do not necessarily need to be SSL FIPS compliant to remediate the POODLE attack.

Peter Potkay

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Neil Casey
Sent: Tuesday, October 21, 2014 4:58 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: IBM MQ, SSL and the PODLE Attack

Hi,

thanks for your work, and for publishing the results.

I would just like to ask
 what was the cipher spec defined in the channel?

Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.

Regards,

Neil Casey.


On 22 Oct 2014, at 4:48 am, Istvan M. <***@GMAIL.COM<mailto:***@GMAIL.COM>> wrote:

Hello List,

just tested on Linux with a small script provided by RedHat.

QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414<http://127.0.0.1:1414/> - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA

QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414<http://127.0.0.1:1414/> - Not vulnerable. Failed to establish SSLv3 connection.

poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"

So enabling FIPS mode really solves this vulnerability.

On Mon, Oct 20, 2014 at 8:23 PM, Istvan M. <***@gmail.com<mailto:***@gmail.com>> wrote:
Hello List,

I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).

On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture + Engineering) <***@thehartford.com<mailto:***@thehartford.com>> wrote:
This just came out from IBM on how MQ is impacted by POODLE:

http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E


Still waiting for the WMB TechNote on POODLE.



Peter Potkay

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Üdvözlettel,
MELICH, István

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>


________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>


________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>



<< "Once the game is over, the king and the pawn go back into the same box." - Anon >>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
T.Rob
2014-10-22 14:52:37 UTC
Permalink
Post by Tim Zielke
Since SSL v3 is no longer supported, the security community has basically “pulled the plug” on SSL v3.
About time. SSL v3 has other known vulns, but apparently this one we care about. There's an easy test for it so fair enough. Incidentally, as you are looking for alternate ciphers, keep in mind that MD5 is also broken and CBC has some known issues. If I had to pick one, I'd take CBC over MD5 in a heartbeat though.



The SSL Labs site Peter points to is great. I frequently point people at it. And while you are busy testing, take a look at http://checktls.com where they test your company's SMTP (email) server. As bad as HTTPS is, email is 100 times worse. Half the time the servers are set up to accept plaintext connections if the encrypted ones fail and the encryption is often SSL at best. But nobody sees the SMTP servers or deals with mail transfer at the back end other than admins. Instead of encryption they have a kludge of putting authentication info into DNS records but it's hardly what you'd call secure. Wouldn't it be cool if CheckTLS.com went viral and half the net started asking their companies and ISPs why email was so bad?





Kind regards,

-- T.Rob



T.Robert Wyatt, Managing partner

IoPT Consulting, LLC

+1 704-443-TROB (8762) Voice/Text

+44 (0) 8714 089 546 Voice

https://ioptconsulting.com <https://ioptconsulting.com/>

https://twitter.com/tdotrob



From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Tim Zielke
Sent: Wednesday, October 22, 2014 9:43 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack



My understanding is that any cipher that uses the TLS protocol would remediate POODLE. I used the MQ v8 manual which lists what protocol (i.e. SSL v3, TLS 1.0, TLS 1.2) the cipher is using -> http://www-01.ibm.com/support/knowledgecenter/#!/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_copy.htm.



As Isvtan mentioned, it would be better to also choose a TLS cipher that is also FIPS compliant. The IBM MQ security bulletin for POODLE tells you which TLS ciphers are not FIPS compliant -> http://www-01.ibm.com/support/docview.wss?uid=swg21687433 <http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E> &myns=swgws&mynp=OCSSFKSJ&mync=E



This is my understanding of POODLE based on the research I have done. POODLE (Padding Oracle on Downgraded Legacy Encryption) is a new security vulnerability on SSL v3. Padding Oracle is the method to do the security breach. Downgraded Legacy Encryption is SSL v3. Since SSL v3 is no longer supported, the security community has basically “pulled the plug” on SSL v3.





From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of David Awerbuch (BLOOMBERG/ 120 PARK)
Sent: Wednesday, October 22, 2014 8:22 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack



Is there a definitive list of the TLS cipherspecs?

We are running 7.5 mgrs, our connection partners are running server 8.0, 7.5, 7.1, 7.0, and a few are still at 6.0.
Customer client verions are across the spectrum.

Thanks.
Dave

----- Original Message -----
From: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
At: Oct 21 2014 21:01:14

It looks like POODLE has caused the security community to put the fork in SSL. We just have TLS from here on out, for “secure” MQ ciphers.



From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of dhornby5-***@public.gmane.org
Sent: Tuesday, October 21, 2014 6:34 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack



yes, AFAIK you just need to use a TLS cipherspec




_____


From: "Peter M Potkay (CTO Architecture + Engineering)" <Peter.Potkay-***@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Sent: Tuesday, October 21, 2014 5:19:41 PM
Subject: Re: IBM MQ, SSL and the PODLE Attack



Would it be accurate to say
If your QM is running with SSLFIPS(YES) you are not vulnerable to POODLE, but you do not necessarily need to be SSL FIPS compliant to remediate the POODLE attack.



Peter Potkay



From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Neil Casey
Sent: Tuesday, October 21, 2014 4:58 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack



Hi,



thanks for your work, and for publishing the results.



I would just like to ask
 what was the cipher spec defined in the channel?



Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.



Regards,



Neil Casey.





On 22 Oct 2014, at 4:48 am, Istvan M. <ipl873-8a+***@public.gmane.org> wrote:



Hello List,



just tested on Linux with a small script provided by RedHat.



QMNAME(QM1V701) SSLFIPS(NO)

-bash-4.1$ ./poodle.sh

127.0.0.1:1414 <http://127.0.0.1:1414/> - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA



QMNAME(QM1V701) SSLFIPS(YES)

-bash-4.1$ ./poodle.sh

127.0.0.1:1414 <http://127.0.0.1:1414/> - Not vulnerable. Failed to establish SSLv3 connection.



poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"



So enabling FIPS mode really solves this vulnerability.



On Mon, Oct 20, 2014 at 8:23 PM, Istvan M. <ipl873-***@public.gmane.org> wrote:

Hello List,



I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.

Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).



On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture + Engineering) <Peter.Potkay-***@public.gmane.org> wrote:

This just came out from IBM on how MQ is impacted by POODLE:



http://www-01.ibm.com/support/docview.wss?uid=swg21687433 <http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E> &myns=swgws&mynp=OCSSFKSJ&mync=E





Still waiting for the WMB TechNote on POODLE.







Peter Potkay



************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************




_____


List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Üdvözlettel / Best regards,

Melich István / Istvan Melich





--



Best regards / Üdvözlettel,

MELICH, István




_____


List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>






_____


List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************




_____


List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>






_____


List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>




_____


List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>





<< "Once the game is over, the king and the pawn go back into the same box." - Anon >>



_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>



_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>


To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Loading...