PTF Cover Letter
PTF ( Program Temporary Fixes ) Cover letter
LIC-SSL Remove RSA_MD5 from System SSL/TLS default sig alg l
Pre/Co-Requisite PTF / Fix List
REQ LICENSED PTF/FIX LEVEL
TYPE PROGRAM RELEASE NUMBER MIN/MAX OPTION
---- -------- --------- ------- ------- ------
PRE 5770999 V7R2M0 MF58685 00/00 0000
NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels. This PTF may be a prerequisite
for future PTFs. By applying this PTF you authorize and agree to the
foregoing.
This PTF is subject to the terms of the 'IBM License Agreement for Machine
Code', the terms of which were provided in a printed document that was
delivered with the machine.
SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.
APAR Error Description / Circumvention
-----------------------------------------------
The RSA_MD5 protocol should not be used for TLSv1.2 signature
and hash operations due to the SLOTH vulnerabilities.
CORRECTION FOR APAR MA45218 :
-----------------------------
An administrator can completely disable the RSA_MD5 signature
and hash algorithm from being used by System SSL/TLS using the
System Service Tools (SST) Advanced Analysis Command SSLCONFIG
values without this PTF. This is done by manually removing
RSA_MD5 from the default signature algorithm list.
This PTF explicitly removes RSA_MD5 from the default signature
algorithm list.
Applications coded to use the default value for TLSv1.2
signature algorithms will no longer negotiate the use of RSA_MD5
signatures with TLSv1.2 peers. This includes the use of digital
certificates with a MD5 signature.
If RSA_MD5 support is required by peers of such an application
after this PTF is applied, the value can be added back to the
System SSL/TLS default signature algorithm list using System
Service Tools (SST) Advanced Analysis Command SSLCONFIG.
To change the System SSL settings with the Start System
Service
Tools (STRSST) command, follow these steps:
1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h
This will show the help screen that describes the input strings
to change the System SSL setting for signatureAlgorithmList
(default list) and supportedSignatureAlgorithmList.
CIRCUMVENTION FOR APAR MA45218 :
--------------------------------
None.
Activation Instructions
None.
Special Instructions
None.
Default Instructions
THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.
Supersedes
PTF/FIX NO(S). APAR TITLE LINE
-------------- ------------------------------------------------------------
MF60432 LIC-SSL Default cipher suite list empty
MF60368 LIC-COMM-SSL Send SCSV instead of RI Extension when possible
MF60333 LIC-SSL Remove SSLv3 and RC4 from System SSL default
MF59777 LIC-SSL LEAK WHEN SOCKET CLOSED IN 2ND THREAD
MF59777 LIC-COMM-TCPIP-INCORROUT FTPS PROBLEMS WITH SSL REHANDSHAKE
MF58557 LIC-SSL Certificate Verify Message Signature Error
MF58230 LIC-SSL ECDHE Processing Location
MF57990 LIC-SSL SNI JKS
MF57910 LIC-COMM-SSL OCSP not working as expected
MF57818 LIC-SSL SNI mixed case
MF57694 LIC-COMM-SSL Cipher Selection Enhancement
MF57694 LIC-SSL SNI match not found
MF59677 LIC-SSL Control Block Leak In Error Path
MF59644 JVA-RUN Java Secure Socket Extension (JSSE) Support
MF57909 LIC-SSL GSKit GSK_SSL_EXTN_SERVERNAME_REQUEST on session
MF60334 LIC-SSL Remove SSLv3 and RC4 from System SSL default
MF60156 LIC-SSL System SSL Object Garbage Collection
MF60139 LIC-SOCKETS AUDIT RECORD SK SUBTYPE A TELNET
Summary Information
| System.............................. | i |
| Models.............................. | |
| Release............................. | V7R2M0 |
| Licensed Program............... | 5770999 |
| APAR Fixed.......................... | View details for APAR MA45218 |
| Superseded by:...................... | View fix details for PTF MF68212 |
| Recompile........................... | N |
| Library............................. | QSYS |
| MRI Feature ........................ | NONE |
| Cum Level........................... | C6127720 |
IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.
Document Information
Modified date:
13 December 2020