Rob,
I found that if you if change QSSLCSLCTL back to *OPSYS (had to change to *USRDFN to remove the ciphers)
It automatically sets QSSLCSL back to system default cipher list.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rob Berendt
Sent: Thursday, March 29, 2018 7:29 AM
To: Midrange Systems Technical Discussion
Subject: Re: Disabling / Removing V7R3 SSL weak ciphers
I browsed the 7.3 PTF cover letters for: cipher
MF62780 - LIC-SSL Remove 3DES from System SSL/TLS default
SI62586 - F/TRIPLE-DES CAN RESULT IN CVE-2016-2183 AND CVE-2016-6329
Granted, some of these only remove a cipher from a particular application, like LDAP.
Perhaps if you documented which ciphers you removed from the suite you could occasionally change QSSLCSLCTL back to system default and see what it changes QSSLCSL to.
If you forget to document you could simply do a DSPSYSVAL QSSLCSL
OUTPUT(*PRINT) before any changes.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 03/28/2018 07:44 PM
Subject: Disabling / Removing V7R3 SSL weak ciphers
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Was reviewing V7R3 SSL ciphers..
Found this link that IBM is suggesting weak ciphers should be disabled.
Configuring Your IBM i System Secure Sockets Layer (SSL)/Transport Layer
Security (TLS) Protocols and Cipher Suites
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020876
Weak Cipher Suites (as of March 2018):
*RSA_RC4_128_SHA
*RSA_RC4_128_MD5
*RSA_NULL_MD5
*RSA_NULL_SHA
*RSA_NULL_SHA256
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_RC2_CBC_128_MD5
*RSA_DES_CBC_MD5
*RSA_3DES_EDE_CBC_MD5
*RSA_3DES_EDE_CBC_SHA
*ECDHE_ECDSA_NULL_SHA
*ECDHE_ECDSA_RC4_128_SHA
*ECDHE_RSA_NULL_SHA
*ECDHE_RSA_RC4_128_SHA
*ECDHE_RSA_3DES_EDE_CBC_SHA
*ECDHE_ECDSA_3DES_EDE_CBC_SHA
3 of the weak ciphers are part of V7R3 default QSSLCSL - Secure sockets
layer cipher specification list
150 *ECDHE_ECDSA_3DES_EDE_CBC_SHA
160 *ECDHE_RSA_3DES_EDE_CBC_SHA
170 *RSA_3DES_EDE_CBC_SHA
Initially, IBM stated that the latest PTFs will disable the weak ciphers.
However, additional follow-up is requiring us to change from default SSL
to custom SSL settings to remove these ciphers.
PTFs only disable the cipher suite from being used by default on SSL/TLS
connections. PTFs will never physically remove a cipher suite or protocol
from your IBM i system value. In order to remove these cipher suites from
QSSLCSL, you will need to first set QSSLCSLCTL to *USRDFN. After doing
this, you would then remove the cipher suites from the value of QSSLCSL.
Summary.
Back to custom SSL config, similar to what I had on V7R1.
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx
http://www.pencor.com/
As an Amazon Associate we earn from qualifying purchases.