IBM i System TLS has been enhanced in IBM i 7.3 to support the latest industry standard of Transport Layer Security version 1.3 (TLSv1.3) protocol. IBM i System TLS has also been enhanced to support additional TLSv1.2 protocol features.
- SF99867: 730 TCP/IP PTF Group Level: 5
- SF99722: 730 IBM HTTP Server for i PTF Group Level: 24
For GUI System Value QSSLPCL and QSSLCSL support, not for HTTP Server use of TLS 1.3
- SF99725: 730 Java PTF Group Level: 17
Plus these 4 Java PTFs:
SI72654 and SI72653 - JVA-RUN JDK 80-64 Native JSSE TLSv1.3
SI72652 and SI72651 - JVA-RUN JDK 70-64 Native JSSE TLSv1.2 ChaCha20Poly1305
IBM i System TLS has been enhanced to support the latest industry standard of Transport Layer Security version 1.3 (TLSv1.3) protocol. TLSv1.3 is enabled and used by default for partitions with system value QSSLPCL set to *OPSYS. If QSSLPCL is not *OPSYS, the administrator must add *TLSV1.3 to the list to enable it. If QSSLCSLCTL is *OPSYS and TLSv1.3 is enabled in QSSLPCL, the TLSv1.3 cipher suites are enabled and used by default. If set to *USRDFN, the administrator must add one or more TLSv1.3 cipher suites to the list in order for TLSv1.3 to be used. Applications designed to use the System TLS default protocols will immediately support TLSv1.3 if the system value settings allow TLSv1.3. Other applications require configuration or code changes to enable TLSv1.3.
Refer to Transport Layer Security in the IBM i Knowledge Center for additional details.
System TLS now includes support for the *CHACHA20_POLY1305_SHA256 cipher suite. TLSv1.3 always uses ECDHE for key exchange and negotiates the certificate type independent of the cipher suite. This resulted in removing the ECDHE, ECDSA, and RSA key words from the TLSv1.3 cipher suite names.
The supported/enabled named elliptic curve groups list and the default named elliptic curve groups list have both been updated to include the x25519 and x448 named curves. Most applications will begin supporting these curves with no additional configuration required.
System TLS now includes support for OCSP stapling in both the TLSv1.3 and TLSv1.2 protocols. This support allows client applications to send a certificate status request extension as part of the TLS handshake, as defined in RFC 6066, requesting that the server complete OCSP requests on behalf of the client. Based on the server's OCSP configuration, server applications enabling this new support query an OCSP responder and send the OCSP response back to the client.
The Java 8 Native IBM i JSSE provider now supports TLSv1.3. TLSv1.3 support has been added to three existing Protocol values, "SSL", "SSL_TLS", and "SSL_TLSv2". The new protocol specific value of "TLSv1.3" was also added.
|Protocol value||Supported TLS protocols|
|SSL||TLS version 1.3, 1.2, 1.1, 1.0 and SSL version 3.|
|SSLv3||SSL version 3 protocol|
|TLSv1||TLS version 1.0 protocol, defined in Request for Comments (RFC) 2246.|
|SSL_TLS||TLS version 1.3, 1.2, 1.1, 1.0 and SSL version 3.|
|TLSv1.1||TLS version 1.1 protocol, defined in Request for Comments (RFC) 4346.|
|TLSv1.2||TLS version 1.2 protocol, defined in Request for Comments (RFC) 5246.|
|TLSv1.3||TLS version 1.3 protocol, defined in Request for Comments (RFC) 8446.|
|SSL_TLSv2||TLS version 1.3, 1.2, 1.1, 1.0 and SSL version 3.|
02 July 2020