IBM Support

JR37430: GSKIT TLS HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555

A fix is available

Communications Server for Windows, Version 6.4 -- Latest Fixpack

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • All customers using Communications Server for Linux
or Communications Server for Linux on zSeries,
relying on Secure Socket Layer v3 (SSLv3) or any of
the multiple versions of Transport Layer Security
(TLS) in support of secure communications between a
client and server or between server and server are
impacted by a recently discovered weakness in the
TLS and SSL v3 protocols. SSLv2 is not affected.

The TLS/SSL weakness exists in multiple
implementations of the Transport Layer Security
(TLS) protocol, including SSL.

Local fix

  • 



Problem summary


    

  • To address the weakness in the TLS/SSL handshake renegotiation,
IBM, along with the other members in the Industry Consortium for
the Advancement of Security on the Internet (ICASI), are working
together with the Internet Engineering Task Force (IETF) to
enhance and strengthen the handshake renegotiation protocol in
the TLS specification. This effort will take some time to
complete.  The delivery outlook for inclusion of this enhanced
handshake renegotiation capability in TLS protocol
implementations is unknown at this time.

    



Problem conclusion


    

  • n the interim, the TLS handshake renegotiation will be disabled
by application of this APAR. The TLS handshake renegotiation is
rarely used. Disabling the TLS handshake renegotiation will
block a remote attacker from attempting to exploit the weakness
in the TLS protocol. After applying this APAR, the default
setting will disable the TLS handshake renegotiation. There is
an option to re-enable renegotiation if warranted. TLS handshake
renegotiation should be re-enabled only if absolutely necessary
and with a clear understanding and acceptance of the potential
security risks.

To override the default setting and re-enable handshake
renegotiation, see the instructions in the readme for APAR
LI75181.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR37430
    • 

  • Reported component name
    COMM SERV NT 6.
    • 

  • Reported component ID
    5639F2503
    • 

  • Reported release
    640
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2010-08-06
    • 

  • Closed date
    2010-08-06
    • 

  • Last modified date
    2010-08-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
LI75158
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    COMM SERV NT 6.
    • 

  • Fixed component ID
    5639F2503
    • 



Applicable component levels


    

  • R640  PSY  
       
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSHQNF","label":"Communications Server for Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"640"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback