All customers using IBM® SDK for Java™ relying on Secure Socket Layer v3 (SSLv3) or any of the multiple versions of Transport Layer Security (TLS) in support for secure communications between a client and server or between server and server are impacted by a recently discovered weakness in the TLS and SSL v3 protocols. SSLv2 is not affected.
The TLS/SSL weakness exists in multiple implementations of the Transport Layer Security (TLS) protocol, including SSL.
To address the weakness in the TLS/SSL handshake renegotiation, IBM, along with the other members in the Industry Consortium for the Advancement of Security on the Internet (ICASI), are working together with the Internet Engineering Task Force (IETF) to enhance and strengthen the handshake renegotiation protocol in the TLS specification. This effort will take some time to complete. The delivery outlook for inclusion of this enhanced handshake renegotiation capability in TLS protocol implementations is unknown at this time.
In the interim, the IBM SDK for Java is delivering a fix to allow an installation to disable the TLS handshake renegotiation. The TLS handshake renegotiation is rarely used. Disabling the TLS handshake renegotiation will block a remote attacker from attempting to exploit the weakness in the TLS protocol. After installing this fix, the default setting will disable the TLS handshake renegotiation. The fix also provides an option to re-enable renegotiation if warranted. TLS handshake renegotiation should be re-enabled only if absolutely necessary and with a clear understanding and acceptance of the potential security risks.
IBM Java Secure Socket Extensions (JSSE) includes TLS support. If your Java application uses JSSE for secure communication, you can disable TLS renegotiation by installing the PTF for APAR IZ65239. After installing the JSSE PTF for APAR IZ65239, the following properties are added:
com.ibm.jsse2.renegotiate=[ALL | NONE | ABBREVIATED]
ALL: allow both abbreviated and unabbreviated (full) renegotiation handshakes.
NONE: allow no renegotiation handshakes. This option is the new default setting.
ABBREVIATED: allow only abbreviated renegotiation handshakes.
The following versions of Java are affected:
IBM SDK for Java V6 service refresh 6 and earlier
IBM SDK for Java V5.0 service refresh 11 and earlier
IBM SDK for Java V1.4.2 service refresh 13, Fix Pack 3 and earlier