APAR status
Closed as program error.
Error description
Error Message: The IETF has published RFC 5746 Transport Layer Security (TLS) ? Renegotiation Indication Extension. RFC 5746 defines a mechanism to implement TLS/SSL handshake renegotiation securely. Use of RFC 5746 replaces the industry wide interim solution of disabling all renegotiation implemented after the weakness was discovered. . Stack Trace: N/A .
Local fix
Problem summary
The IETF has published RFC 5746 Transport Layer Security (TLS) ? Renegotiation Indication Extension. RFC 5746 defines a mechanism to implement TLS/SSL handshake renegotiation securely. Use of RFC 5746 replaces the industry wide interim solution of disabling all renegotiation implemented after the weakness was discovered.
Problem conclusion
This defect will be fixed in: 6.0.0 SR9 5.0.0 SR12 1.4.2 SR13 fp6 . The IETF has published RFC 5746 Transport Layer Security (TLS) ? Renegotiation Indication Extension. RFC 5746 defines a mechanism to implement TLS/SSL handshake renegotiation securely. Use of RFC 5746 replaces the industry wide interim solution of disabling all renegotiation implemented after the weakness was discovered. After applying this APAR, IBM JSSE2 will allow SSL V3 or TLS V1 session renegotiation with peers that have implemented RFC 5746. Session renegotiation with peers that do not support RFC 5746 reverts back to the interim disablement solution. By default, unsecured renegotiation will continue to not be allowed. Use the system property com.ibm.jsse2.renegotiate to control how unsecured negotiation are handled by IBM JSSE2. Read RFC 5746 for additional details if interested in the underlying TLS protocol changes to correct the weakness. The following system properties are available to control how restrictive IBM JSSE2 is in the enforcement of RFC 5746. To force all negotiations to require RFC 5746, not just renegotiations use system property com.ibm.jsse2.extended.renegotiation.indicator. This would only be practical after all desired communication partners have implemented RFC 5746. -com.ibm.jsse2.extended.renegotiation.indicator=OPTIONAL This is the default value. It causes the IBM JSSE2 Server and/or IBM JSSE2 Client to not require the renegotiation indicator during the initial handshake. Warning - setting this to 'client', 'server' or 'both' will cause interoperability problems with clients or servers that have not been updated. -com.ibm.jsse2.extended.renegotiation.indicator=CLIENT Causes the IBM JSSE2 Client to only connect if the server indicated support for RFC 5746 Renegotiation. Warning - setting this to 'client' will cause interoperability problems with servers that have not been updated. -com.ibm.jsse2.extended.renegotiation.indicator=SERVER Causes the IBM JSSE2 Server to only connect if the client indicated support for RFC 5746 Renegotiation. Warning - setting this to 'server' will cause interoperability problems with servers that have not been updated. -com.ibm.jsse2.extended.renegotiation.indicator=BOTH Causes the IBM JSSE2 Server and/or IBM JSSE2 client to connect only if the peer indicated support for RFC 5746 Renegotiation. Warning - setting this to 'both' will cause interoperability problems with client and/or servers that have not been updated. To change the renegotiation ability of IBM JSSE2 use the system property com.ibm.jsse2.renegotate. -com.ibm.jsse2.renegotiate=NONE This is the default value. No unsecured handshake renegotiation is allowed. RFC 5746 renegotiations are allowed only. -com.ibm.jsse2.renegotiate=ABBREVIATED Overrides and allows unsecured abbreviated handshake during renegotiation when session continuity is proven. RFC 5746 renegotiations are allowed. -com.ibm.jsse2.renegotiate=ALL Overrides and allows unsecured full handshake and unsecured abbreviated handshake during renegotiation. RFC 5746 renegotiations are allowed also. -com.ibm.jsse2.renegotiate=DISABLED Overrides and disables all unsecure and RFC 5746 renegotiations. To change the renegotiation ability of IBM JSSE2 to require the peer support specified in RFC 5746, use the system property com.ibm.jsse2.renegotiation.peer.cert.check. This would only be practical after all of your potential communication partners have implemented RFC 5746. -com.ibm.jsse2.renegotiation.peer.cert.check=OFF This is the default value. It causes the IBM JSSE2 Client and/or IBM JSSE2 Server to not perform an identify check against the peer's certificate. It allows the peer certificate to change during renegotiation. -com.ibm.jsse2.renegotiation.peer.cert.check=ON Causes the IBM JSSE2 Client and/or IBM JSSE2 Server to perform a comparison against the peer's certificate to ensure the certificate does not change during renegotiation. Applicable to both secure and non-secure renegotiations.
Temporary fix
Comments
APAR Information
APAR number
IZ75870
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-05-14
Closed date
2010-05-14
Last modified date
2010-10-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R600 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020