IBM Support

MA44716 - LIC-SSL REMOVE SSLV3 AND RC4 FROM SYSTEM SSL DEFAULT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 APAR (Authorized Program Analysis Report)

Abstract

LIC-SSL REMOVE SSLV3 AND RC4 FROM SYSTEM SSL DEFAULT

Error Description

The SSLv3 protocol and RC4 cipher suites should not be used due
to the POODLE and Bar Mitzvah vulnerabilities.                  

Problem Summary

****************************************************************
* PROBLEM: (MA44716) Licensed Program = 5761999 for i 6.1 and  *
*                                       i 6.1.1                *
*                                     = 5770999 for i 7.1 and  *
*                                       i 7.2                  *
*           Security                                           *
****************************************************************
* USERS AFFECTED: All IBM i operating system System SSl users. *
****************************************************************
* RECOMMENDATION: Apply LIC PTF MF60331 for i 6.1.             *
*                 Apply LIC PTF MF60338 for i 6.1.1.           *
*                 Apply LIC PTF MF60335 for i 7.1.             *
*                 Apply LIC PTF MF60334 for i 7.2.             *
****************************************************************
*******                                                        
The SSLv3 protocol and RC4 cipher suites should not be used due
to the POODLE and Bar Mitzvah vulnerabilities.                  

Problem Conclusion

An administrator can completely disable SSLv3 and RC4 cipher    
suites for System SSL using the QSSLPCL and QSSLCSL system      
values without this PTF.                                        
                                                               
This PTF removes SSLv3 from the eligible default protocol list  
and the RC4 cipher suites from the eligible default cipher      
specification list when they remain enabled by the system      
values.                                                        
                                                               
Applications coded to use the default values will no longer    
negotiate the use of SSLv3 and RC4 with peers.                  
                                                               
If SSLv3 or RC4 support is required by peers of such an        
application after this PTF is applied, the values can be added  
back to the System SSL eligible default lists using System      
Service Tools (SST) Advanced Analysis Command SSLCONFIG.        
                                                               
To change the System SSL settings with the Start System Service
Tools (STRSST) command, follow these steps:                    
                                                               
   1. Open a character-based interface.                        
   2. On the command line, type STRSST.                        
   3. Type your service tools user name and password.          
   4. Select option 1 (Start a service tool).                  
   5. Select option 4 (Display/Alter/Dump).                    
   6. Select option 1 (Display/Alter storage).                  
   7. Select option 2 (Licensed Internal Code (LIC) data).      
   8. Select option 14 (Advanced analysis).                    
   9. Select option 1 (SSLCONFIG).                              
   10. Enter -h                                                
                                                               
This will show the help screen that describes the input strings
to change the System SSL setting for -eligibleDefaultProtocols  
and  -eligibleDefaultCipherSuites.                              

Temporary Fix

                       *********                                
                       * HIPER *                                
                       *********                                

Comments

Circumvention


PTFs Available

R610 MF62786 PTF Cover Letter   1000
R611 MF62785 PTF Cover Letter   1000
R710 MF60335 PTF Cover Letter   5317
R720 MF60334 PTF Cover Letter   5310

Affected Modules

         
         

Affected Publications

Summary Information

Status............................................ CLOSED PER
HIPER........................................... Yes
Component.................................. 9400DG300
Failing Module.......................... RCHMGR
Reported Release................... R610
Duplicate Of..............................




System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0"},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG15Q","label":"APARs - OS\/400 General"},"Component":"","ARM Category":[],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"V6R1M0;V6R1M1;V7R1M0;V7R2M0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG16B","label":"APARs - i5\/OS V6R1 environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"V6R1M0;V6R1M1;V7R1M0;V7R2M0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
04 November 2016