× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2018

RE: Disabling / Removing V7R3 SSL weak ciphers

Rob,

I found that if you if change QSSLCSLCTL back to *OPSYS (had to change to *USRDFN to remove the ciphers)
It automatically sets QSSLCSL back to system default cipher list.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rob Berendt
Sent: Thursday, March 29, 2018 7:29 AM
To: Midrange Systems Technical Discussion
Subject: Re: Disabling / Removing V7R3 SSL weak ciphers

I browsed the 7.3 PTF cover letters for: cipher
MF62780 - LIC-SSL Remove 3DES from System SSL/TLS default
SI62586 - F/TRIPLE-DES CAN RESULT IN CVE-2016-2183 AND CVE-2016-6329

Granted, some of these only remove a cipher from a particular application, like LDAP.

Perhaps if you documented which ciphers you removed from the suite you could occasionally change QSSLCSLCTL back to system default and see what it changes QSSLCSL to.
If you forget to document you could simply do a DSPSYSVAL QSSLCSL
OUTPUT(*PRINT) before any changes.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 03/28/2018 07:44 PM
Subject: Disabling / Removing V7R3 SSL weak ciphers
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Was reviewing V7R3 SSL ciphers..
Found this link that IBM is suggesting weak ciphers should be disabled.

Configuring Your IBM i System Secure Sockets Layer (SSL)/Transport Layer
Security (TLS) Protocols and Cipher Suites
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020876

Weak Cipher Suites (as of March 2018):
*RSA_RC4_128_SHA
*RSA_RC4_128_MD5
*RSA_NULL_MD5
*RSA_NULL_SHA
*RSA_NULL_SHA256
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_RC2_CBC_128_MD5
*RSA_DES_CBC_MD5
*RSA_3DES_EDE_CBC_MD5
*RSA_3DES_EDE_CBC_SHA
*ECDHE_ECDSA_NULL_SHA
*ECDHE_ECDSA_RC4_128_SHA
*ECDHE_RSA_NULL_SHA
*ECDHE_RSA_RC4_128_SHA
*ECDHE_RSA_3DES_EDE_CBC_SHA
*ECDHE_ECDSA_3DES_EDE_CBC_SHA

3 of the weak ciphers are part of V7R3 default QSSLCSL - Secure sockets
layer cipher specification list
150 *ECDHE_ECDSA_3DES_EDE_CBC_SHA
160 *ECDHE_RSA_3DES_EDE_CBC_SHA
170 *RSA_3DES_EDE_CBC_SHA

Initially, IBM stated that the latest PTFs will disable the weak ciphers.
However, additional follow-up is requiring us to change from default SSL
to custom SSL settings to remove these ciphers.

PTFs only disable the cipher suite from being used by default on SSL/TLS
connections. PTFs will never physically remove a cipher suite or protocol
from your IBM i system value. In order to remove these cipher suites from
QSSLCSL, you will need to first set QSSLCSLCTL to *USRDFN. After doing
this, you would then remove the cipher suites from the value of QSSLCSL.

Summary.
Back to custom SSL config, similar to what I had on V7R1.

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/






As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.