IBM Support

MF61243 - LIC-SSL Remove RSA_MD5 from System SSL/TLS default sig alg l

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

LIC-SSL Remove RSA_MD5 from System SSL/TLS default sig alg l


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED           PTF/FIX  LEVEL

TYPE PROGRAM  RELEASE   NUMBER   MIN/MAX  OPTION
---- -------- --------- -------  -------  ------
PRE  5770999  V7R2M0    MF58685   00/00    0000



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the 'IBM License Agreement for Machine
Code', the terms of which were provided in a printed document that was
delivered with the machine.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.





APAR Error Description / Circumvention

-----------------------------------------------
The RSA_MD5 protocol should not be used for TLSv1.2 signature
and hash operations due to the SLOTH vulnerabilities.

CORRECTION FOR APAR MA45218 :
-----------------------------
An administrator can completely disable the RSA_MD5 signature
and hash algorithm from being used by System SSL/TLS using the
System Service Tools (SST) Advanced Analysis Command SSLCONFIG
values without this PTF.  This is done by manually removing
RSA_MD5 from the default signature algorithm list.

This PTF explicitly removes RSA_MD5 from the default signature
algorithm list.

Applications coded to use the default value for TLSv1.2
signature algorithms will no longer negotiate the use of RSA_MD5
signatures with TLSv1.2 peers.  This includes the use of digital
certificates with a MD5 signature.

If RSA_MD5 support is required by peers of such an application
after this PTF is applied, the value can be added back to the
System SSL/TLS default signature algorithm list using System
Service Tools (SST) Advanced Analysis Command SSLCONFIG.

To change the System SSL settings with the Start System
Service
Tools (STRSST) command, follow these steps:

1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h

This will show the help screen that describes the input strings
to change the System SSL setting for signatureAlgorithmList
(default list) and supportedSignatureAlgorithmList.

CIRCUMVENTION FOR APAR MA45218 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


None.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   MF60432      LIC-SSL Default cipher suite list empty
   MF60368      LIC-COMM-SSL Send SCSV instead of RI Extension when possible
   MF60333      LIC-SSL Remove SSLv3 and RC4 from System SSL default
   MF59777      LIC-SSL LEAK WHEN SOCKET CLOSED IN 2ND THREAD
   MF59777      LIC-COMM-TCPIP-INCORROUT FTPS PROBLEMS WITH SSL REHANDSHAKE
   MF58557      LIC-SSL Certificate Verify Message Signature Error
   MF58230      LIC-SSL ECDHE Processing Location
   MF57990      LIC-SSL SNI JKS
   MF57910      LIC-COMM-SSL OCSP not working as expected
   MF57818      LIC-SSL SNI mixed case
   MF57694      LIC-COMM-SSL Cipher Selection Enhancement
   MF57694      LIC-SSL SNI match not found
   MF59677      LIC-SSL Control Block Leak In Error Path
   MF59644      JVA-RUN Java Secure Socket Extension (JSSE) Support
   MF57909      LIC-SSL GSKit GSK_SSL_EXTN_SERVERNAME_REQUEST on session
   MF60334      LIC-SSL Remove SSLv3 and RC4 from System SSL default
   MF60156      LIC-SSL System SSL Object Garbage Collection
   MF60139      LIC-SOCKETS AUDIT RECORD SK SUBTYPE A TELNET

Summary Information

System.............................. i
Models..............................
Release............................. V7R2M0
Licensed Program............... 5770999
APAR Fixed.......................... MA45218
Superseded by:...................... View fix details for PTF MF64536
Recompile........................... N
Library............................. QSYS
MRI Feature ........................ NONE
Cum Level........................... C6127720


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V7R2M0

Operating system(s): OS/400

Reference #: MF61243

Modified date: 26 January 2016