IBM Support

MF62778 - LIC-SSL Remove 3DES from System SSL/TLS default

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

LIC-SSL Remove 3DES from System SSL/TLS default


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED           PTF/FIX  LEVEL

TYPE PROGRAM  RELEASE   NUMBER   MIN/MAX  OPTION
---- -------- --------- -------  -------  ------
PRE  5770999  V7R2M0    MF58685   00/00    0000



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the 'IBM License Agreement for Machine
Code', the terms of which were provided in a printed document that was
delivered with the machine.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.





APAR Error Description / Circumvention

-----------------------------------------------
The 3DES cipher suites should not be used due to the SWEET32
vulnerability.

CORRECTION FOR APAR MA45974 :
-----------------------------
An administrator can completely disable the 3DES cipher suites
for System SSL using the QSSLCSL system value without this PTF.

This PTF removes the 3DES cipher suites from the eligible
default cipher specification list when they remain enabled by
the system values.

Applications coded to use the default values will no longer
negotiate the use of 3DES with peers.

If 3DES support is required by peers of such an application
after this PTF is applied, the values can be added back to the
System SSL eligible default cipher suite list using System
Service Tools (SST) Advanced Analysis Command SSLCONFIG.

To change the System SSL settings with the Start System Service
Tools (STRSST) command, follow these steps:

1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h

This will show the help screen that describes the input strings
to change the System SSL setting for
-eligibleDefaultCipherSuites.

CIRCUMVENTION FOR APAR MA45974 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


None.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   MF62787      LIC-SSL TLS Alert Record Leaked
   MF62317      OSP-WAIT SOCKET OBJECT GARBAGE COLLECTION TAKES TOO LONG TO
   MF61243      LIC-SSL Remove RSA_MD5 from System SSL/TLS default sig alg l
   MF60432      LIC-SSL Default cipher suite list empty
   MF60368      LIC-COMM-SSL Send SCSV instead of RI Extension when possible
   MF60333      LIC-SSL Remove SSLv3 and RC4 from System SSL default
   MF59777      LIC-SSL LEAK WHEN SOCKET CLOSED IN 2ND THREAD
   MF59777      LIC-COMM-TCPIP-INCORROUT FTPS PROBLEMS WITH SSL REHANDSHAKE
   MF58557      LIC-SSL Certificate Verify Message Signature Error
   MF58230      LIC-SSL ECDHE Processing Location
   MF57990      LIC-SSL SNI JKS
   MF57910      LIC-COMM-SSL OCSP not working as expected
   MF57818      LIC-SSL SNI mixed case
   MF57694      LIC-COMM-SSL Cipher Selection Enhancement
   MF57694      LIC-SSL SNI match not found
   MF59677      LIC-SSL Control Block Leak In Error Path
   MF59644      JVA-RUN Java Secure Socket Extension (JSSE) Support
   MF57909      LIC-SSL GSKit GSK_SSL_EXTN_SERVERNAME_REQUEST on session
   MF60334      LIC-SSL Remove SSLv3 and RC4 from System SSL default
   MF60156      LIC-SSL System SSL Object Garbage Collection
   MF60139      LIC-SOCKETS AUDIT RECORD SK SUBTYPE A TELNET

Summary Information

System.............................. i
Models..............................
Release............................. V7R2M0
Licensed Program............... 5770999
APAR Fixed.......................... View details for APAR MA45974
Superseded by:...................... View fix details for PTF MF64536
Recompile........................... N
Library............................. QSYS
MRI Feature ........................ NONE
Cum Level........................... C7068720


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V7R2M0

Operating system(s): OS/400

Reference #: MF62778

Modified date: 03 November 2016