Was reviewing V7R3 SSL ciphers..
Found this link that IBM is suggesting weak ciphers should be disabled.
Configuring Your IBM i System Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Protocols and Cipher Suites
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020876
Weak Cipher Suites (as of March 2018):
*RSA_RC4_128_SHA
*RSA_RC4_128_MD5
*RSA_NULL_MD5
*RSA_NULL_SHA
*RSA_NULL_SHA256
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_RC2_CBC_128_MD5
*RSA_DES_CBC_MD5
*RSA_3DES_EDE_CBC_MD5
*RSA_3DES_EDE_CBC_SHA
*ECDHE_ECDSA_NULL_SHA
*ECDHE_ECDSA_RC4_128_SHA
*ECDHE_RSA_NULL_SHA
*ECDHE_RSA_RC4_128_SHA
*ECDHE_RSA_3DES_EDE_CBC_SHA
*ECDHE_ECDSA_3DES_EDE_CBC_SHA
3 of the weak ciphers are part of V7R3 default QSSLCSL - Secure sockets layer cipher specification list
150 *ECDHE_ECDSA_3DES_EDE_CBC_SHA
160 *ECDHE_RSA_3DES_EDE_CBC_SHA
170 *RSA_3DES_EDE_CBC_SHA
Initially, IBM stated that the latest PTFs will disable the weak ciphers.
However, additional follow-up is requiring us to change from default SSL to custom SSL settings to remove these ciphers.
PTFs only disable the cipher suite from being used by default on SSL/TLS connections. PTFs will never physically remove a cipher suite or protocol from your IBM i system value. In order to remove these cipher suites from QSSLCSL, you will need to first set QSSLCSLCTL to *USRDFN. After doing this, you would then remove the cipher suites from the value of QSSLCSL.
Summary.
Back to custom SSL config, similar to what I had on V7R1.
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx
http://www.pencor.com/
midrange.com
