IBM Support

IZ75870: RFC 5746 TRANSPORT LAYER SECURITY (TLS) ? RENEGOTIATION INDICATI ON EXTENSION

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: The IETF has published RFC 5746 Transport Layer
    Security (TLS) ? Renegotiation Indication Extension.  RFC 5746
    defines a mechanism to implement TLS/SSL handshake renegotiation
    securely.  Use of RFC 5746 replaces the industry wide interim
    solution of disabling all renegotiation implemented after the
    weakness was discovered.
    .
    Stack Trace: N/A
    .
    

Local fix

Problem summary

  • The IETF has published RFC 5746 Transport Layer Security (TLS) ?
    Renegotiation Indication Extension.  RFC 5746 defines a
    mechanism to implement TLS/SSL handshake renegotiation securely.
     Use of RFC 5746 replaces the industry wide interim solution of
    disabling all renegotiation implemented after the weakness was
    discovered.
    

Problem conclusion

  • This defect will be fixed in:
    6.0.0 SR9
    5.0.0 SR12
    1.4.2 SR13 fp6
    .
    The IETF has published RFC 5746 Transport Layer Security (TLS) ?
    Renegotiation Indication Extension. RFC 5746 defines a mechanism
    to implement TLS/SSL handshake renegotiation securely. Use of
    RFC 5746 replaces the industry wide interim solution of
    disabling all renegotiation implemented after the weakness was
    discovered.
    
    After applying this APAR, IBM JSSE2 will allow SSL V3 or TLS V1
    session renegotiation with peers that have implemented RFC 5746.
    Session renegotiation with peers that do not support RFC 5746
    reverts back to the interim disablement solution. By default,
    unsecured renegotiation will continue to not be allowed. Use the
    system property com.ibm.jsse2.renegotiate to control how
    unsecured negotiation are handled by IBM JSSE2.
    
    Read RFC 5746 for additional details if interested in the
    underlying TLS protocol changes to correct the weakness.
    
    The following system properties are available to control how
    restrictive IBM JSSE2 is in the enforcement of RFC 5746.
    
    To force all negotiations to require RFC 5746, not just
    renegotiations use system property
    com.ibm.jsse2.extended.renegotiation.indicator. This would only
    be practical after all desired communication partners have
    implemented RFC 5746.
    
    
    -com.ibm.jsse2.extended.renegotiation.indicator=OPTIONAL
    
    This is the default value. It causes the IBM JSSE2 Server and/or
    IBM JSSE2 Client to not require the renegotiation indicator
    during the initial handshake.
    
    Warning - setting this to 'client', 'server' or 'both' will
    cause interoperability problems with clients or servers that
    have not been updated.
    
    
    -com.ibm.jsse2.extended.renegotiation.indicator=CLIENT
    
    Causes the IBM JSSE2 Client to only connect if the server
    indicated support for RFC 5746 Renegotiation.
    
    Warning - setting this to 'client' will cause interoperability
    problems with servers that have not been updated.
    
    
    -com.ibm.jsse2.extended.renegotiation.indicator=SERVER
    
    Causes the IBM JSSE2 Server to only connect if the client
    indicated support for RFC 5746 Renegotiation.
    
    Warning - setting this to 'server' will cause
    interoperability problems with servers that have not
    been updated.
    
    
    -com.ibm.jsse2.extended.renegotiation.indicator=BOTH
    
    Causes the IBM JSSE2 Server and/or IBM JSSE2 client to connect
    only if the peer indicated support for RFC 5746 Renegotiation.
    Warning - setting this to 'both' will cause interoperability
    problems with client and/or servers that have not been updated.
    
    
    
    To change the renegotiation ability of IBM JSSE2 use the system
    property com.ibm.jsse2.renegotate.
    
    
    -com.ibm.jsse2.renegotiate=NONE
    
    This is the default value. No unsecured handshake renegotiation
    is allowed. RFC 5746 renegotiations are allowed only.
    
    
    -com.ibm.jsse2.renegotiate=ABBREVIATED
    
    Overrides and allows unsecured abbreviated handshake during
    renegotiation when session continuity is proven. RFC 5746
    renegotiations are allowed.
    
    
    -com.ibm.jsse2.renegotiate=ALL
    
    Overrides and allows unsecured full handshake and unsecured
    abbreviated handshake during renegotiation. RFC 5746
    renegotiations are allowed also.
    
    
    -com.ibm.jsse2.renegotiate=DISABLED
    
    Overrides and disables all unsecure and RFC 5746 renegotiations.
    
    To change the renegotiation ability of IBM JSSE2 to require the
    peer support specified in RFC 5746, use the system property
    com.ibm.jsse2.renegotiation.peer.cert.check. This would only be
    practical after all of your potential communication partners
    have implemented RFC 5746.
    
    
    -com.ibm.jsse2.renegotiation.peer.cert.check=OFF
    
    This is the default value. It causes the IBM JSSE2 Client and/or
    IBM JSSE2 Server to not perform an identify check against the
    peer's certificate. It allows the peer certificate to change
    during renegotiation.
    
    
    -com.ibm.jsse2.renegotiation.peer.cert.check=ON
    
    Causes the IBM JSSE2 Client and/or IBM JSSE2 Server to perform a
    comparison against the peer's certificate to ensure the
    certificate does not change during renegotiation. Applicable to
    both secure and non-secure renegotiations.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ75870

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-05-14

  • Closed date

    2010-05-14

  • Last modified date

    2010-10-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PM14526 IZ75930

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R600 PSN

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
07 December 2020