IBM Support

PI90112: IMPROVE THE DEFAULT CIPHER SUITES FOR SSLV3, TLSV1.0, TLSV1.1, AND TLSV1.2 IN CACHING PROXY TO REMOVE SEVERAL WEAK CIPHERS.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Improve the default cipher suites for SSLv3, TLSv1.0, TLSv1.1,
    and TLSv1.2 in Caching Proxy to remove several weak ciphers.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM Caching Proxy SSL              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Improve the default cipher suites for   *
    *                      SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 in *
    *                      Caching Proxy to remove several weak    *
    *                      ciphers.                                *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Improve the default cipher suites for SSLv3, TLSv1.0, TLSv1.1,
    and TLSv1.2 in Caching Proxy to remove weak ciphers such as
    3DES.
    The new default ciphers have been listed below:
    SSLv3 / TLSv1.0 / TLSv1.1:
    * 2F - TLS_RSA_WITH_AES_128_CBC_SHA
    * 35 - TLS_RSA_WITH_AES_256_CBC_SHA
    TLSv1.2:
    * 9C - TLS_RSA_WITH_AES_128_GCM_SHA256
    * 9D - TLS_RSA_WITH_AES_256_GCM_SHA384
    * 3C - TLS_RSA_WITH_AES_128_CBC_SHA256
    * 3D - TLS_RSA_WITH_AES_256_CBC_SHA256
    * 2F - TLS_RSA_WITH_AES_128_CBC_SHA
    * 35 - TLS_RSA_WITH_AES_256_CBC_SHA
    

Problem conclusion

  • The default ciphers for Caching Proxy have been modified. The
    new defaults are listed below for each protocol.
    
    SSLv3 / TLSv1.0 / TLSv1.1:
    * 2F - TLS_RSA_WITH_AES_128_CBC_SHA
    * 35 - TLS_RSA_WITH_AES_256_CBC_SHA
    
    TLSv1.2:
    * 9C - TLS_RSA_WITH_AES_128_GCM_SHA256
    * 9D - TLS_RSA_WITH_AES_256_GCM_SHA384
    * 3C - TLS_RSA_WITH_AES_128_CBC_SHA256
    * 3D - TLS_RSA_WITH_AES_256_CBC_SHA256
    * 2F - TLS_RSA_WITH_AES_128_CBC_SHA
    * 35 - TLS_RSA_WITH_AES_256_CBC_SHA
    
    3DES (0A) ciphers can be re-enabled using the following
    directives as needed:
    V3CipherSpecs 2F350A
    TLSV11CipherSpecs 2F350A
    TLSV12CipherSpecs 9C9D3C3D2F350A
    
    This fix is targeted for IBM Caching Proxy fix packs:
    - 9.0.0.8
    - 8.5.5.14
    - 8.0.0.15
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI90112

  • Reported component name

    WEBS CACH PROXY

  • Reported component ID

    5724H8810

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-11-13

  • Closed date

    2018-03-05

  • Last modified date

    2018-03-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS CACH PROXY

  • Fixed component ID

    5724H8810

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP



Document information

More support for: WebSphere Application Server
Edge Component

Software version: 900

Reference #: PI90112

Modified date: 05 March 2018


Translate this page: