DISABLE CIPHER ECDHE_RSA_NULL_SHA BY DEFAULT
STAT= CLOSED PER FESN0461035- CTID= EN0313 ISEV= 3
SB19/05/16 RC19/05/16 CL19/07/30 PD SEV= 3
PE= TYPE= F
RCOMP= 5735FAL00 TCP/IP FOR Z/VM RREL= R710
FCOMP= 5735FAL00 TCP/IP FOR Z/VM PFREL= F999 TREL= T
ACTION= SEC/INT= N DUP/
USPTF= UI64500 PDPTF= DUPS 0
DW19/05/16 RT19/05/16 SC FT RE
PT UP LP PV AP
EN FL LC19/09/26 RU19/09/26 OT
CT FR TD TYPE OF SOLUTION=
PROJECTED CLOSE CODE= CUST INST LVL/SU=
FAILING MODULE= SSLCIPHS FAILING LVL/SU= 710
SYSROUTE OF: RET APAR= PS=
STATUS DETAIL= SHIPMENT RELIEF AVAILABLE=
COMP OPER ENV= 710
N
N SCP/
F/ TYPE OF SOLUTION=
PROJECTED CLOSE CODE= CUST INST LVL/SU=
FAILING MODULE= FAILING LVL/SU=
SYSROUTE OF: RET APAR= N PS=
STATUS DETAIL= N N N N N RELIEF AVAILABLE=
COMP OPER ENV=
SYSRES= SYSIN= SYSOUT= CPU= RE-IPL=
OPTYPE= SPECIAL ACTIVITY= REGRESSION=
PRE-SCREEN NO.= RSCP= RS710
ERROR DESCRIPTION:
Cipher ECDHE_RSA_NULL_SHA (0C10) has bulk encryption set to NULL
which results in no encryption if this cipher is selected
during the SSL handshake. This can be misleading if encryption
is expected.
LOCAL FIX:
This cipher can be disabled by specifying it on an EXEMPT
statement in the DTCPARMS entry for the SSL server.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: Users using SSL and ecc ciphers may wish *
* to have the ECDHE_RSA_NULL_SHA cipher exempt *
* as the default. *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
The SSL cipher ECDHE_RSA_NULL_SHA is included in the
list of enabled ciphers by default.
PROBLEM CONCLUSION:
The cipher ECDHE_RSA_NULL_SHA will now be exempt as the default.
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS:
SSLCIPHS
SRLS:
NONE
RTN CODES:
APPLICABLE COMPONENT LEVEL/SU:
R710 PSY UI64500 UP19/08/08 P 1902
CIRCUMVENTION:
MESSAGE TO SUBMITTER: