Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM i (CVE-2015-7575).

Workarounds and Mitigations

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the MD5 signature hash will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the MD5 signature hash and take appropriate mitigation and remediation actions.

Mitigation instructions for IBM i:

IBM i System SSL/TLS

IBM i System SSL/TLS is a set of generic services provided in the IBM i Licensed Internal Code (LIC) to protect TCP/IP communications using the SSL/TLS protocol.

System SSL/TLS is accessible to application developers from the following programming interfaces and JSSE implementation:

- Global Security Kit (GSKit) APIs
- Integrated IBM i SSL_ APIs
- Integrated IBM i JSSE implementation (IBMi5OSJSSEProvider)

TLS applications created by IBM, IBM business partners, independent software vendors (ISV), or customers that use one of the three System SSL/TLS interfaces listed above will use System SSL/TLS. For example, FTP and Telnet are IBM applications that use System SSL/TLS. Not all TLS enabled applications running on IBM i use System SSL/TLS.

The TLSv1.2 protocol made the signature and hash algorithms that are used for digital signatures an independent attribute. Previously the negotiated cipher suite determined these algorithms. System SSL/TLS has the infrastructure to support multiple signature algorithms. The signature and hash algorithm RSA_MD5 is allowed in the System SSL/TLS default configuration.

The application developer determines which signature algorithms are supported by the application when it is designed.
- Few if any applications expose the signature algorithm configuration to the end user. For those applications RSA_MD5 can be disabled through that application specific configuration.
- Most applications do not provide a configuration option for controlling the signature and hash algorithms. It is difficult to determine if these applications support RSA_MD5 however it is likely they do support it.
- Almost all applications use the System SSL/TLS default signature algorithms such as FTP and Telnet.

After loading the System SSL/TLS fixes listed in this bulletin, applications coded to use the default values will no longer negotiate TLSv1.2 secure sessions that use RSA_MD5. The fix has no impact on TLSv1.1, TLSv1.0, or SSLv3 connections. It is unlikely that RSA_MD5 is being used for any handshake message digital signatures in your environment. However, if an RSA_MD5 digital server or client certificate is configured, it will no longer work. The MD5 based certificate should be replaced with a SHA2 based certificate. RSA_SHA1 certificates are not recommended for continued use however this fix does not remove RSA_SHA1 from the default signature algorithm list.

If RSA_MD5 support is required by an application after this PTF is applied, RSA_MD5 can be added back in two ways:

1. If the dependent application has a DCM application definition, update the "SSL signature algorithms" application definition field for that application to explicitly include RSA_MD5.

2. RSA_MD5 can be added back to the System SSL/TLS default signature algorithm list using System Service Tools (SST) Advanced Analysis Command SSLCONFIG. To change the System SSL/TLS settings with the Start System Service Tools (STRSST) command, follow these steps:

1. Open a character based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h

This will show the help screen that describes the input strings to change the System SSL/TLS setting for -signatureAlgorithmList which determines the default list.

System SSL/TLS’s support of RSA_MD5 can be completely disabled at the system level using SSLCONFIG. Follow the above SSLCONFIG instructions but change the setting for -supportedSignatureAlgorithmList.

Existing versions of OpenSSL used on IBM i are not affected. It is recommended that you apply all fixes from the IBM i security PTF group in order to stay current on all fixes.