Not sure if helpful, but you can see, among other things, what ciphers are enabled for a system, 7.3 and above, using RSE API REST API /api/v1/security/tls (part of security services which include DCM-like function via REST APIs).
It will give u a response like the following:
{
"supportedProtocols": [
"TLSv1.3",
"TLSv1.2"
],
"eligibleDefaultProtocols": [
"TLSv1.3",
"TLSv1.2"
],
"defaultProtocols": [
"TLSv1.3",
"TLSv1.2"
],
"supportedCipherSuites": [
"AES_128_GCM_SHA256",
"AES_256_GCM_SHA384",
"CHACHA20_POLY1305_SHA256",
"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"eligibleDefaultCipherSuites": [
"AES_128_GCM_SHA256",
"AES_256_GCM_SHA384",
"CHACHA20_POLY1305_SHA256",
"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"defaultCipherSuites": [
"AES_128_GCM_SHA256",
"AES_256_GCM_SHA384",
"CHACHA20_POLY1305_SHA256",
"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"supportedSignatureAlgorithms": [
"ECDSA_SHA512",
"ECDSA_SHA384",
"ECDSA_SHA256",
"RSA_PSS_SHA512",
"RSA_PSS_SHA384",
"RSA_PSS_SHA256",
"RSA_SHA512",
"RSA_SHA384",
"RSA_SHA256"
],
"defaultSignatureAlgorithms": [
"ECDSA_SHA512",
"ECDSA_SHA384",
"ECDSA_SHA256",
"RSA_PSS_SHA512",
"RSA_PSS_SHA384",
"RSA_PSS_SHA256",
"RSA_SHA512",
"RSA_SHA384",
"RSA_SHA256"
],
"supportedSignatureAlgorithmCertificates": [
"ECDSA_SHA512",
"ECDSA_SHA384",
"ECDSA_SHA256",
"ECDSA_SHA224",
"ECDSA_SHA1",
"RSA_PSS_SHA512",
"RSA_PSS_SHA384",
"RSA_PSS_SHA256",
"RSA_SHA512",
"RSA_SHA384",
"RSA_SHA256",
"RSA_SHA224",
"RSA_SHA1",
"RSA_MD5"
],
"defaultSignatureAlgorithmCertificates": [
"ECDSA_SHA512",
"ECDSA_SHA384",
"ECDSA_SHA256",
"RSA_PSS_SHA512",
"RSA_PSS_SHA384",
"RSA_PSS_SHA256",
"RSA_SHA512",
"RSA_SHA384",
"RSA_SHA256"
],
"supportedNamedCurves": [
"x25519",
"x448",
"Secp256r1",
"Secp384r1",
"Secp521r1"
],
"defaultNamedCurves": [
"Secp256r1",
"Secp384r1",
"x25519",
"Secp521r1",
"x448"
],
"defaultMinimumRSAKeySize": 0,
"handshakeConnectionCounts": false,
"secureSessionCaching": true,
"auditSecureTelnetHandshakes": false
}
More information may be found at:
https://www.ibm.com/support/pages/node/7144245
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Rob Berendt <robertowenberendt@xxxxxxxxx>
Date: Wednesday, March 20, 2024 at 12:32 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: [EXTERNAL] Re: *NETSECURE & cipher names
I suggest you submit an idea that IBM remedy this
https://ibm-power-systems.ideas.ibm.com/ideas
On Wed, Mar 20, 2024 at 12:53 PM Justin Taylor <jtaylor.0ab@xxxxxxxxx>
wrote:
I'm trying to identify clients with old ciphers that need to be updated.
The audit journal gives me the cipher suites they're using, but the names
given don't match the docs (
https://www.ibm.com/docs/en/i/7.5?topic=srsv-transport-layer-security-tls-cipher-specification-list-qsslcsl
).
For example the journal gives:
TLS_RSA_WITH_AES_128_CBC_SHA256 RSA_SHA256
Is there a cross-reference, or some why to translate one to the other?
TIA
midrange.com
