MF54813 - LIC-COMM-SSL Support turning off all renegotiation

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
CO   5770999  710  MF48825   00/00    0000
CO   5770999  710  MF48824   00/00    0000



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the 'IBM License Agreement for Machine
Code', the terms of which were provided in a printed document that was
delivered with the machine.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.





APAR Error Description / Circumvention

-----------------------------------------------
How to disable all peer initiated SSL renegotiation regardless
of RFC5746 support.

CORRECTION FOR APAR MA41698 :
-----------------------------
System SSL support added in for -sslRenegotiation:disabled

CIRCUMVENTION FOR APAR MA41698 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF MF53626 :
=================================================

If applying or removing this PTF *IMMED when experiencing issues with
SSL telnet, please do the following to ensure all changes are made
active:

1. End active Telnet server jobs with command: ENDTCPSVR
SERVER(*TELNET)
2. Apply or remove the PTF
3. Start the Telnet server jobs with command: STRTCPSVR SERVER(*TELNET)

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF MF49131 :
=================================================

The IETF has published RFC 5746 Transport Layer Security (TLS) -
Renegotiation Indication Extension.  RFC 5746 defines a mechanism to
implement TLS/SSL handshake renegotiation securely.  Use of RFC 5746
replaces the industry wide interim solution of disabling all
renegotiation implemented after the weakness was discovered.

After applying this PTF, System SSL will allow SSL V3 or TLS V1 session
renegotiation with peers that have implemented RFC 5746.  Session
renegotiation with peers that do not support RFC 5746 reverts back to
the interim disablement solution.  By default, unsecured renegotiation
will continue to not be allowed.  Use the special instructions for
-sslRenegotiation to control how unsecured negotiation is handled by
System SSL.

Information APAR II14533 has been updated to reflect RFC 5746 support.
Read RFC 5746 for additional details if interested in the underlying
TLS protocol changes to correct the weakness.

A method for administrators to control how restrictive System SSL is in
the enforcement of RFC 5746 is available.  System SSL can be made to
force all negotiations to require RFC 5746, not just re-negotiations.
This would only be practical after all desired communication partners
have implemented RFC 5746.

To change the RFC 5746 restrictiveness of System SSL with the Start
System Service Tools (STRSST) command, follow these steps:
1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (IPCONFIG).
10. Enter one or both of the following strings as shown below to change
the System SSL behavior to the desired setting.

-sslRfc5746NegotiationRequiredClient:on  (defaults to Off)

Causes the SSL Client to only connect if the SSL Server
indicates support for RFC 5746 Renegotiation.
Warning - setting this to 'On' will cause
interoperability problems with servers that have not
been updated.

-sslRfc5746NegotiationRequiredServer:on (defaults to Off)

Causes the SSL Server to only connect if the SSL Client
indicates support for RFC 5746 Renegotiation.
Warning - setting this to 'On' will cause
interoperability problems with clients that have not
been updated.

To change the unsecured renegotiation ability of System SSL with the
Start System Service Tools (STRSST) command, follow steps 1-9 above,
then issue one of the following three strings as shown below.  Note
this only has meaning for peers that do not support RFC 5746.
-sslRenegotiation:NONE - Default value

No unsecured handshake renegotiation is allowed

-sslRenegotiation:ABBREVIATED

Overrides and allows unsecured abbreviated handshake
during renegotiation when session continuity is proven.

-sslRenegotiation:ALL - Default prior to PTF

Overrides and allows unsecured full handshake and
unsecured abbreviated handshake during renegotiation


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   MF54511      LIC-COMM-SSL Support turning off all renegotiation
   MF53626      OSP-INCORROUT-RWS-D/T5250 TELNET USERS BEING DISCONNECTED /
   MF53520      OSP-LOOP ETHERNET ADAPTER GOES INTO AN UNRESPONSIVE STATE CA
   MF53262      LIC-COMM-OTHER-UNPRED SSL HEAP NOT RELEASED
   MF51036      LIC-COMM-TCPIP-INCORROUT SSL_ERROR_BAD_STATE ERROR -21
   MF50363      LIC-COMM-INCORROUT Invalid Response to SSLv2 Client Hello
   MF49131      LIC-COMM-SSL Support RFC5746
   MF48823      Integrity Problem
   MF53418      LIC-COMM-TCPIP IOCM TASKS TAKE HIGH CPU IN LOSOCKETSECURE
   MF51026      OSP-PAR-SSL javax.net.ssl.SSLException: Unknown error 6507

Summary Information

System i Support