Supported SSL and Transport Layer Security protocols

This topic describes which versions of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols the IBM® i implementation supports.

There are several versions of the SSL protocol defined. The IBM i implementation supports the following versions of the SSL and TLS protocols:
  • TLS Version 1.2
  • TLS Version 1.1
  • TLS Version 1.0
  • SSL Version 3.0
  • SSL Version 2.0
Note:
  1. Specifying more than one protocol at the same time is compatibility mode. Compatibility means that the highest specified protocol is negotiated if possible and if that is not possible then the next highest specified protocol is negotiated. If none of the specified protocols can be negotiated, the SSL handshake fails.
  2. In compatibility mode, it is recommended to specify all protocols between the highest and lowest protocols enabled. Unpredictable results might happen if TLS Version 1.2 and TLS Version 1.0 are specified and TLS Version 1.1 is not.

TLS Version 1.2 versus TLS Version 1.1

The latest industry standard SSL protocol is Transport Layer Security (TLS) Version 1.2. Its specifications are defined by the Internet Engineering Task Force (IETF) in RFC 5246, The TLS Protocol Version 1.2.

TLS version 1.2 provides these enhancements over TLS version 1.1:
  • All ciphers that are negotiated with TLSv1.2 must use at least SHA256. The existing ciphers that have SHA(1) in their name use SHA256.
  • The MD5/SHA-1 combination in the digitally signed element is replaced with a single hash. Signed elements now include a field that explicitly specifies the hash algorithm used.
  • Extension support is merged into the RFC rather than being defined separately.
  • The DES cipher is not allowed. That means this cipher suite cannot be negotiated for TLSv1.2.
    • 09 = *RSA_DES_CBC_SHA

TLS Version 1.1 versus TLS Version 1.0

The second most recent industry standard SSL protocol is Transport Layer Security (TLS) Version 1.1. Its specifications are defined by the Internet Engineering Task Force (IETF) in RFC 4346, The TLS Protocol Version 1.1.

TLS version 1.1 provides these enhancements over TLS version 1.0:
  • The implicit Initialization Vector (IV) is replaced with an explicit IV to protect against Cipher Block Chaining (CBC) attacks. The explicit IV changes the inner workings for the AES and DES ciphers.
  • The export ciphers are not allowed. That means these two currently supported cipher suites cannot be negotiated for TLSv1.1.
    • 03 = *RSA_EXPORT_RC4_40_MD5
    • 06 = *RSA_EXPORT_RC2_CBC_40_MD5
  • Miscellaneous internal improvements, see RFC 4346 for details

TLS Version 1.0 versus SSL Version 3.0

The first industry standard SSL protocol to be based on SSL version 3.0 was Transport Layer Security (TLS) Version 1.0. Its specifications are defined by the Internet Engineering Task Force (IETF) in RFC 2246, The TLS Protocol.

The major goal of TLS is to make SSL more secure and to make the specification of the protocol more precise and complete. TLS provides these enhancements over SSL Version 3.0:
  • A more secure MAC algorithm
  • More granular alerts
  • Clearer definitions of "gray area" specifications
TLS provides the following security improvements:
  • Key-Hashing for Message Authentication TLS uses Key-Hashing for Message Authentication Code (HMAC), which ensures that a record cannot be altered while traveling over an open network such as the Internet. SSL Version 3.0 also provides keyed message authentication, but HMAC is more secure than the (Message Authentication Code) MAC function that SSL Version 3.0 uses.

  • Enhanced Pseudorandom Function (PRF) PRF generates key data. In TLS, the HMAC defines the PRF. The PRF uses two hash algorithms in a way which guarantees its security. If either algorithm is exposed, the data will remain secure as long as the second algorithm is not exposed.

  • Improved finished message verification Both TLS Version 1.0 and SSL Version 3.0 provide a finished message to both endpoints that authenticates that the exchanged messages were not altered. However, TLS bases this finished message on the PRF and HMAC values, which again is more secure than SSL Version 3.0.

  • Consistent certificate handling Unlike SSL Version 3.0, TLS attempts to specify the type of certificate which must be exchanged between TLS implementations.

  • Specific alert messages TLS provides more specific and additional alerts to indicate problems that either session endpoint detects. TLS also documents when certain alerts should be sent.

SSL Version 3.0 versus SSL Version 2.0

SSL version 3.0 is an almost totally different protocol compared to SSL Version 2.0. Some of the major differences between the two protocols include:
  • SSL Version 3.0 handshake protocol flows are different than SSL Version 2.0 handshake flows.
  • SSL Version 3.0 includes a number of timing attack fixes and the SHA-1 hashing algorithm. The SHA-1 hashing algorithm is considered to be more secure than the MD5 hashing algorithm. SHA-1 allows SSL Version 3.0 to support additional cipher suites which use SHA-1 instead of MD5.
  • SSL Version 3.0 protocol reduces man-in-the-middle (MITM) type of attacks from occurring during SSL handshake processing. In SSL Version 2.0, it was possible, though unlikely, that a MITM attack might accomplish cipher specification weakening. Weakening the cipher can allow an unauthorized person to break the SSL session key.