beyond ssl: ibm ios transport security - nhmug · beyond ssl: ibm ios transport security speaker:...

12/5/2016

1

Welcome to the Waitless World

© 2015 IBM Corporation

Beyond SSL:IBM i OS Transport Security

Speaker: Wayne Bowers

IBM i Global Support

[email protected]



2

Agenda

• Background

• Controls for Protocols and Ciphers

• IBM i OS r7.1 TR6

• IBM i OS r7.2

• IBM i OS r7.3

• How To: Telnet Server Example

• Other Application Considerations

• Debug and Data Collection

12/5/2016

2



Background


Welcome to the Waitless WorldWhat is SSL?

• Secure Sockets Layer– Sub layer in the Sockets– Provides

• Partner verification • Encryption of data during transport

• Defined by Netscape

Internet Protocol (IP)

Transport Control Protocol (TCP)

SocketsSSL

12/5/2016

3



5

SSL Protocol Details

• http://en.wikipedia.org/wiki/Transport_Layer_Security

• SSL defined by Netscape, – Original version never publicly released– SSL v2, many security flaws, quickly replaced– SSL v3

• Industry standards adopted as Transport Layer Security ( TLS ) and continue forward under review by the IETF via RFCs



6

SSL Versions

Protocol Version Year Released

SSL v1 Never publicly released

SSL v2 1995

SSL v3 1996

TLS v 1.0 1999 RFC 2246

TLS v 1.1 2006 RFC 4346

TLS v 1.2 2008 RFC 5246

12/5/2016

4


Welcome to the Waitless WorldIBM i SSL Implementation

• Verify application is enabled for SSL• Use DCM to Configure SSL environment

– Create Certificate(s)

• or– Import Externally created Certificate(s): Verisign, Thawte, GoDaddy etc

– Assign Certificate to the Server (or client) Application• Restart the Application (usually)• Ensure that Certificate Trust is setup• Connect!



Controls for Protocols

and Ciphers

12/5/2016

5



9

System Values for Secure Transport

• IBM i OS r6.1 introduced system values

– WRKSYSVAL QSSL*

Work with System Values System: RCHASMA6

Position to . . . . . . Starting characters of system value Subset by Type . . . . . F4 for list

Type options, press Enter. 2=Change 5=Display

System Option Value Type Description

QSSLCSL *SEC Secure sockets layer cipher specification list QSSLCSLCTL *SEC Secure sockets layer cipher control QSSLPCL *SEC Secure sockets layer protocols

Bottom



10


• QSSLPCL

• PCL= Protocols

– List of protocols enabled on the system

– Can be used to disable 'weaker' older protocols

– Can be used to enable newer protocols

– Keep list contiguous! Do not skip a version in the middle

• Examples:» Do: TLSV1.2, TLSV1.1, TLSV1

» Do not: TLSV1.2, TLSV1

12/5/2016

6



11


• QSSLCSLCTL: Cipher Control

– *OPSYS

• Use OS Default Protocol List– *USRDFN

• Used to modify QSSLCSL

• QSSLCSL: Secure sockets layer cipher specification list

– Ordered list of Cipher Suites to be checked during SSL Handshaking– IBM i will start at the top of the QSSLCSL cipher suite list and look for

the first cipher suite that the client supports

– To use “stronger” ciphers

• Move strong ciphers to top of the QSSLCSL list• Check partner (client or server) to verify ciphers that they enable



IBM i OS r7.1 TR6

12/5/2016

7



13

Technology Refresh 6

• Available February 2013

– SF99707 level 6, MF99006

• Among other things...big changes for Transport Security (SSL)



14

TR6 Enhancements

• QSSLPCL (protocols)

– New protocols• *TLSV1.2

• *TLSV1.1

• QSSLCSL (ciphers)

– New Ciphers• *RSA_AES_256_CBC_SHA256

• *RSA_AES_128_CBC_SHA256• *RSA_NULL_SHA256

12/5/2016

8



15

DCM Changes

• Digital Certificate Manager (DCM) Application definitions expanded with TR6

• Can now specify protocol and ciphers for each application



16

Example DCM Application

12/5/2016

9



17

System Values vs. DCM

• Same information in both places, what has priority?– System Values enable for applications system wide

– The DCM Application definition is only for that one application

• DCM's Application settings need to subset the system values

• DCM's settings have priority for that one application– But, the protocol or cipher must still be enabled in the

system values to be used

– If DCM specifies protocol/cipher that is not enabled in the system values, it silently ignores



18

System Values vs. DCM

•SSL protocols•You can change this value for any application definition. Select a value to indicate which SSL protocol versions are supported by the application.

•*PGM•Select this value if the program using this "application ID" has already set the SSL protocol attribute to the appropriate value. All System SSL programs have an attribute value set either explicitly via an API call or implicitly by default. *PGM should be used unless it is known that the required attribute value is not set by the program.

•Define protocols supported•Select this value and then fill in the check box for each of the protocols to be supported by this application. Protocols identified here that are not enabled on the system via QSSLPCL system value will be silently ignored as long as at least one of the selected protocols is enabled on the system. Selecting this value will override the value set internally by the program.

12/5/2016

10



19

System Values vs. DCM Example

• System Values

– QSSLPCLTLS1.2, TLS1.1

– QSSLCSL*RSA_AES_256_CBC_SHA256

*RSA_AES_128_CBC_SHA256*RSA_AES_128_CBC_SHA

• DCM Telnet Server Application

– SSL Protocols TLS 1.1

– SSL Cipher Spec Options*RSA_AES_128_CBC_SHA

*RSA_3DES_EBE_CBC_SHA

The Telnet Server can use TLS 1.1 and *RSA_AES_128_CBC_SHA since they are enabled in both places



20

• Cipher Suites are only valid for certain protocols

– Examples• *RSA_DES_CBC_MD5 is SSLV2 only

• *RSA_AES_256_CBC_SHA256 is TLS V 1.2 only• *RSA_NULL_SHA valid for TLS 1.2, 1.1, 1.0 and SSLV3

• When enabling ciphers or protocols in system values or DCM, make sure that the combinations are valid

Ciphers vs. Protocols

12/5/2016

11



21

Ciphers vs. Protocols



IBM i OS r7.2

12/5/2016

12



23

New in SSL with r7.2

• New Default Protocol List

• New Ciphers

• Multiple Certificate Support

• http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzain/rzainwhatnew.htm?lang=en



24

Protocols

• Shipped Operating System Protocol List

– TLS 1.2, 1.1, 1.0 enabled

– SSLV3 and SSLV2 not enabled by default

• QSSLPCL System Value Defaults to *OPSYS

– TLS 1.2, 1.1, 1.0

– SSL v3, v2 available

• Clients unable to use TLS 1.0 or higher may have connection problems

12/5/2016

13



25

• In July 2015 HIPER / Security Group PTFs were released to remove SSL v2, SSL v3 protocols and RC4 based ciphers from the eligible system list

– r6.1 SI57357 & MF60331

– r6.1.1 SI57357 & MF60338

– r7.1 SI57332 & MF60335

– r7.2 SI57320 & MF60333 & MF60334

• If these Protocols or Ciphers are absolutely needed they cannot be simply enabled via the QSSL* System Values

• Must be re-added to internal System SSL eligible default lists via SST Advanced Analysis Macro

• Then the QSSL* System Values can be used to enable these

SSLV3 Disablement PTFs



26

New Ciphers

• New Ciphers for Elliptical Curve

• http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaq9/rzaq9osSSLcipher.htm?lang=en

• Different, not necessarily stronger– Asymmetric encryption algorithm similar to RSA

– Advantage over RSA in that it has smaller key sizes and better computational performance

• Requires Elliptic Curve Digital Signature (ECDSA) certificates

*ECDHE_ECDSA_AES_128_CBC_SHA256*ECDHE_ECDSA_AES_256_CBC_SHA384*ECDHE_ECDSA_AES_128_GCM_SHA256*ECDHE_ECDSA_AES_256_GCM_SHA384*ECDHE_RSA_AES_128_CBC_SHA256*ECDHE_RSA_AES_256_CBC_SHA384*ECDHE_RSA_AES_128_GCM_SHA256*ECDHE_RSA_AES_256_GCM_SHA384*ECDHE_ECDSA_3DES_EDE_CBC_SHA

*ECDHE_RSA_3DES_EDE_CBC_SHA *ECDHE_ECDSA_RC4_128_SHA *ECDHE_RSA_RC4_128_SHA *ECDHE_ECDSA_NULL_SHA*ECDHE_RSA_NULL_SHA

12/5/2016

14



27

r7.2 Cipher List

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzain/rzainciphers.htm?lang=en



ECDHE_ECDSA_AES_128_CBC_SHA256ECDHE_ECDSA_AES_256_CBC_SHA384ECDHE_ECDSA_AES_128_GCM_SHA256ECDHE_ECDSA_AES_256_GCM_SHA384RSA_AES_128_CBC_SHA256RSA_AES_128_CBC_SHARSA_AES_256_CBC_SHA256RSA_AES_256_CBC_SHARSA_AES_128_GCM_SHA256RSA_AES_256_GCM_SHA384ECDHE_RSA_AES_128_CBC_SHA256ECDHE_RSA_AES_256_CBC_SHA384ECDHE_RSA_AES_128_GCM_SHA256ECDHE_RSA_AES_256_GCM_SHA384ECDHE_ECDSA_3DES_EDE_CBC_SHAECDHE_RSA_3DES_EDE_CBC_SHARSA_3DES_EDE_CBC_SHA*ECDHE_ECDSA_RC4_128_SHA*ECDHE_RSA_RC4_128_SHA*RSA_RC4_128_SHA

28

Key takeaways

• MD5 removed

• RC4 moved to bottom *

• ECDSA preferred

* disabled via PTF can be added/enabled in Service Tools

System SSL 7.2 Default Cipher Suite List

QSSLCSL *OPSYS value

12/5/2016

15



29

New Ciphers

• Not all ciphers can be used with all certificates

– Cipher name ECDHE_ECDSA_* need ECDSA key/certificate

– Cipher name ECDHE_RSA_* need RSA key/certificate

– Cipher TLS_RSA* needs an RSA key/certificate

• http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzain/rzainmultcert.htm?lang=en



30

Multi-Certificate Support

• Traditionally

– Assign one Server Certificate to the server application

• IBM i OS r7.2 allows multiple certificates

– Up to 4 Server Certificates assigned to an application at 1 time

– Allows for Support of RSA and ECDSA Certificates/Ciphers at the same time.

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzain/rzainmultcert.htm?lang=en

12/5/2016

16



31

Multiple Server Certificates



SSLv3 and RC4 removed from default list

• HIPER PTFs prevent SSLv3 and RC4 from default use• Not removed from the system values• SSLCONFIG controls values. -eligibleDefaultCipherSuites:<cipherSuiteNumber>[,<cipherSuiteNumber>...]

Set the System SSL eligible default cipher suite list.

This option takes a comma separated list of numbers to determine the eligible default cipher suites. This list is used along with QSSLCSL to generate the default cipher suite list used by System SSL.

-eligibleDefaultProtocols:<ProtocolNumber>[,<ProtocolNumber>...] Set the System SSL eligible default protocol list.

This option takes a comma separated list of numbers to determine the System SSL eligible default protocol list. This list is used along with QSSLPCL to generate the default Protocol list used by System SSL. <7.1 can add TLSv1.2 and TLSv1.1>

IBM i 6.1 – SI57357, MF60331, MF60429IBM i 6.1.1 - SI57357, MF60338, MF60431IBM i 7.1 – SI57332, MF60335, MF60430IBM i 7.2 – SI57320, MF60333, MF60334, MF60432

IBM Corporation 2014 32

SSLV3 Disablement PTFs

12/5/2016

17



IBM i OS r7.3



QSSLCSL *OPSYS value

• *ECDHE_ECDSA_AES_128_GCM_SHA256

• *ECDHE_ECDSA_AES_256_GCM_SHA384

• *ECDHE_RSA_AES_128_GCM_SHA256

• *ECDHE_RSA_AES_256_GCM_SHA384

• *RSA_AES_128_GCM_SHA256

• *RSA_AES_256_GCM_SHA384

• *ECDHE_ECDSA_AES_128_CBC_SHA256

• *ECDHE_ECDSA_AES_256_CBC_SHA384

• *ECDHE_RSA_AES_128_CBC_SHA256

• *ECDHE_RSA_AES_256_CBC_SHA384

• *RSA_AES_128_CBC_SHA256

• *RSA_AES_128_CBC_SHA

• *RSA_AES_256_CBC_SHA256

• *RSA_AES_256_CBC_SHA

• *ECDHE_ECDSA_3DES_EDE_CBC_SHA

• *ECDHE_RSA_3DES_EDE_CBC_SHA

• *RSA_3DES_EDE_CBC_SHA


Key takeaways

• Removed all but default

• RC4 not default

• GCM preferred

System SSL 7.3 Default Cipher Suite List

12/5/2016

18



System SSL


• RSA with MD5 removed from shipped supported and default Signature Algorithm list. (SSLCONFIG)

• Secp224r1 and Secp192r1 removed from shipped supported and default Named Curves list. (SSLCONFIG)

• Support RFC 7366 Encrypt-then-MAC for Transport Layer Security (TLS)

Other Details



IBM i LIC Service Tools Server TLS Configuration


• Created DCM application definition IBM i System Service (QIBM_QSM_SERVICE) to configure the TLS properties and certificates

• Previously no configuration available for these LIC Service Tools servers:– Port 2124 Piranha– Port 2323 Lan Console– Port 3002 Secure Service Tools Server

• Can assign up to four user specified certificates– Used instead of the shipped hard coded certificate

• These TLS properties can be changed– SSL protocols– SSL cipher specification options– SSL signature algorithms– Extended renegotiation critical mode processing

12/5/2016

19



37

Protocols vs. Releases

IBM i OS SSLv1 SSLv2 SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

r6.1 a* x* x

r7.1 a* x* x

r7.1 w/TR6 a* x* x a a

r7.2 a* a* x x x

r7.3 a* a* x x x

x=enabled defaulta=available but not enabled by default

* disabled via PTF can be added/enabled in Service Tools



How to Use Protocols & Ciphers:

Telnet Server Example

12/5/2016

20



39

• Change System Values

– QSSLPCL• Add *TLSv1.2 and *TLSv1.1 to top of the list• Remove SSLV3

Display System Value

System value . . . . . : QSSLPCL Description . . . . . : Secure sockets layer protocols

Protocols *TLSV1.2 *TLSV1.1 *TLSV1

Example: Telnet Server



40

• Change System Values

– QSSLCSLCTL to *USRDFN

– QSSLCSL, add ciphers to top of the list

Change System Value

System value . . . . . : QSSLCSL Description . . . . . : Secure sockets layer cipher

Type new/changed information, press Enter. To add a cipher suite, type name and desired sequence To remove a cipher suite, space over cipher suite nameTo change position of a cipher suite, type new sequenc

Sequence Cipher Number Suite

0 10 *RSA_AES_256_CBC_SHA256 20 *RSA_AES_128_CBC_SHA256 30 *RSA_AES_128_CBC_SHA 40 *RSA_RC4_128_SHA 50 *RSA_RC4_128_MD5 60 *RSA_AES_256_CBC_SHA 70 *RSA_3DES_EDE_CBC_SHA


12/5/2016

21



41

• DCM– Change Telnet Server Application Definition to use protocols and

ciphers

Example: r7.1 TR6 Telnet Server



-eligibleDefaultCipherSuites:<cipherSuiteNumber>[,<cipherSuiteNumber>...]Set the System SSL eligible default cipher suite list.

This option takes a comma separated list of numbers to determine the eligible default cipher suites. This list is used along with QSSLCSL to generate the default cipher suite list used by System SSL.

-eligibleDefaultProtocols:<ProtocolNumber>[,<ProtocolNumber>...] Set the System SSL eligible default protocol list.

This option takes a comma separated list of numbers to determine the System SSL eligible default protocol list. This list is used along with QSSLPCL to generate the default Protocol list used by System SSL. <7.1 can add TLSv1.2 and TLSv1.1>


Example: r7.1 TR6 Telnet Server

12/5/2016

22



43

• Verify telnet clients are enabled for the protocols and ciphers

• Restart Telnet Server• Test




Other Application

Considerations

12/5/2016

23



45

• Applications can specify protocols and ciphers directly• Some do

– IBM WebSphere MQ

– IBM i HTTP Server Powered by Apache– Still need protocols and ciphers enabled in the system values

• Others do not– IBM i Telnet Server– IBM i Access Host Servers

• Applications that do programmatically specify protocols and ciphers can have issues if DCM changed

– IBM i HTTP Server protected by the exit program

– IBM WebSphere MQ not protected. If changed in DCM, problems are likely

Other Application Considerations



Debug and Data Collection

12/5/2016

24



47

• Application can be written to different SSL interfaces– System SSL– GSkit

– JSSE for Java

• Return code values can tell us which interface is used by the application

– System SSL generates negative return codes– GSKit generates positive return codes

• Return codes– GSKit QSYSINC/H.GSKSSL– System SSL QSYSINC/H.QSOSSL

Error Message Return Codes



48

• No Configuration conflicts – System Values– DCM application settings

• Partner’s Support/Settings

• Tracing– Use Wireshark to capture SSL Handshake– Open wireshark, select the tcp conversation, Analyse, Decode As,

SSL

– Use this to verify Client Hello / Server Hello basics and details

Verify Configuration

12/5/2016

25



49

Client HelloTransmission Control Protocol, Src Port: 61363 (61363), Dst Port: telnets (992),

Seq: 1, Ack: 1, Len: 104Secure Sockets Layer

TLSv1 Record Layer: Handshake Protocol: Client HelloContent Type: Handshake (22)Version: TLS 1.0 (0x0301)Length: 99Handshake Protocol: Client Hello

Handshake Type: Client Hello (1)Length: 95Version: TLS 1.2 (0x0303)RandomSession ID Length: 0Cipher Suites Length: 36Cipher Suites (18 suites)Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

Server HelloTransmission Control Protocol, Src Port: telnets (992), Dst Port: 61363 (61363), Seq: 1, Ack: 105, Len: 1170Secure Sockets Layer

TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages

Content Type: Handshake (22)Version: TLS 1.0 (0x0301)Length: 1165Handshake Protocol: Server Hello

Handshake Type: Server Hello (2)Length: 61Version: TLS 1.0 (0x0301)RandomSession ID Length: 16Session ID: 995e9f8190c870000000000000000008Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)Compression Method: null (0)Extensions Length: 5Extension: renegotiation_info

Handshake Protocol: CertificateHandshake Type: Certificate (11)Length: 1092Certificates Length: 1089Certificates (1089 bytes)

Handshake Protocol: Server Hello DoneHandshake Type: Server Hello Done (14)Length: 0

Access for Win. PC5250



50

Client HelloTransmission Control Protocol, Src Port: 53241 (53241), Dst Port: 9470 (9470), Seq: 1, Ack: 1, Len: 136Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Client HelloContent Type: Handshake (22)Version: TLS 1.2 (0x0303)Length: 131Handshake Protocol: Client Hello

Handshake Type: Client Hello (1)Length: 127Version: TLS 1.2 (0x0303)RandomSession ID Length: 16Session ID: 995fecf16f891000000000000000003eCipher Suites Length: 38Cipher Suites (19 suites)

Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)Cipher Suite: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe)Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Server HelloTransmission Control Protocol, Src Port: 9470 (9470), DstPort: 53241 (53241), Seq: 1, Ack: 137, Len: 1170Secure Sockets Layer

TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages

Content Type: Handshake (22)Version: TLS 1.2 (0x0303)Length: 1165Handshake Protocol: Server Hello

Handshake Type: Server Hello (2)Length: 61Version: TLS 1.2 (0x0303)RandomSession ID Length: 16Session ID: 995fefea083e90000000000000000044Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA

(0x002f)Compression Method: null (0)Extensions Length: 5Extension: renegotiation_info

Handshake Protocol: CertificateHandshake Type: Certificate (11)Length: 1092Certificates Length: 1089Certificates (1089 bytes)

Handshake Protocol: Server Hello DoneHandshake Type: Server Hello Done (14)Length: 0

IBM i Access Client Solutions

12/5/2016

26



51

Summary

• Background

• Controls for Protocols and Ciphers

• IBM i OS r7.1 TR6

• IBM i OS r7.2

• IBM i OS r7.3

• How To: Telnet Server Example

• Other Application Considerations

• Debug and Data Collection



SSL Naughty List

• SSLv2 Protocol–RFC 6176 - Prohibiting Secure Sockets Layer (SSL) Version 2.0

• SSLv3 Protocol–Deprecating Secure Sockets Layer Version 3.0 - draft-thomson-sslv3-diediedie-00

–Known for many years to be vulnerable

–POODLE attack in 2014 finally resulted in widespread disabling

• RC4 Ciphers–Prohibiting RC4 Cipher Suites - draft-ietf-tls-prohibiting-rc4-01 (RFC soon)

• MD5 Ciphers–Issues known for a long time. 2004 it was no longer theoretical

• Certificates with 1024-bit RSA keys–NIST said stop using it by end of 2013

• Certificates with SHA-1 signatures–Chrome will flag as not secure by Jan 2017

52

12/5/2016

27



53

This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM offerings available in your area.

Information in this document concerning non-IBM products was obtained from the suppliers of these products or other public sources. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY 10504-1785 USA.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or guarantees either expressed or implied.

All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions.

IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal without notice.

IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies.

All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary.

IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.

Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this document may have been made on development-level systems. There is no guarantee these measurements will be the same on generally-available systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document should verify the applicable data for their specific environment.

Revised September 26, 2006

Special notices



54

IBM, the IBM logo, ibm.com AIX, AIX (logo), AIX 5L, AIX 6 (logo), AS/400, BladeCenter, Blue Gene, ClusterProven, DB2, ESCON, i5/OS, i5/OS (logo), IBM Business Partner (logo), IntelliStation, LoadLeveler, Lotus, Lotus Notes, Notes, Operating System/400, OS/400, PartnerLink, PartnerWorld, PowerPC, pSeries, Rational, RISC System/6000, RS/6000, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, WebSphere, xSeries, z/OS, zSeries, Active Memory, Balanced Warehouse, CacheFlow, Cool Blue, IBM Systems Director VMControl, pureScale, TurboCore, Chiphopper, Cloudscape, DB2 Universal Database, DS4000, DS6000, DS8000, EnergyScale, Enterprise Workload Manager, General Parallel File System, , GPFS, HACMP, HACMP/6000, HASM, IBM Systems Director Active Energy Manager, iSeries, Micro-Partitioning, POWER, PowerExecutive, PowerVM, PowerVM (logo), PowerHA, Power Architecture, Power Everywhere, Power Family, POWER Hypervisor, Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo), POWER2, POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER6+, POWER7, System i, System p, System p5, System Storage, System z, TME 10, Workload Partitions Manager and X-Architecture are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries.

A full list of U.S. trademarks owned by IBM may be found at: http://www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.AltiVec is a trademark of Freescale Semiconductor, Inc.AMD Opteron is a trademark of Advanced Micro Devices, Inc.InfiniBand, InfiniBand Trade Association and the InfiniBand design marks are trademarks and/or service marks of the InfiniBand Trade Association. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.Microsoft, Windows and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both.NetBench is a registered trademark of Ziff Davis Media in the United States, other countries or both.SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are trademarks of the Standard Performance Evaluation Corp (SPEC).The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org.TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC).UNIX is a registered trademark of The Open Group in the United States, other countries or both.

Other company, product and service names may be trademarks or service marks of others.

Revised December 2, 2010

Special notices (cont.)

beyond ssl: ibm ios transport security - nhmug · beyond ssl: ibm ios transport security speaker:...

Documents