Has anyone configured their i5/OS Apache web server that already uses
SSL to not support weak encryption standards, i.e. 40 & 56-bit? If so,
which protocols did you leave enabled? As we currently do TLS 1.0 with
SSL 3.0, I'm thinking the httpd.conf would look like this:
SSLVersion TLSV1_SSLV3
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA
Is there anything else special that needs to be done?
At
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/r
zain/rzainplanssl.htm , IBM has this: "Note: If you want to restrict SSL
from supporting less than 128 bits of secret material within the
symmetric key, click the Send feedback link located at the top of this
page and fill out the form with your contact information. In the
comments section of the form, include the following text "I would like
instructions on how to restrict SSL from supporting less than 128 bits
of secret material within the symmetric key on a system running V5R3
OS/400" and click Submit. You will be contacted with further
instructions."
As that comment is in the same bullet as Crypto Access Provider, it
makes me wonder if a tweak to 5722-AC3 is needed. I sent in the
feedback as requested; hopefully IBM will respond shortly.
midrange.com
