DISABLE CIPHER ECDHE_RSA_NULL_SHA BY DEFAULT
STAT= CLOSED PER FESN0461035- CTID= EN0313 ISEV= 3 SB19/05/16 RC19/05/16 CL19/07/30 PD SEV= 3 PE= TYPE= F RCOMP= 5735FAL00 TCP/IP FOR Z/VM RREL= R710 FCOMP= 5735FAL00 TCP/IP FOR Z/VM PFREL= F999 TREL= T ACTION= SEC/INT= N DUP/ USPTF= UI64500 PDPTF= DUPS 0 DW19/05/16 RT19/05/16 SC FT RE PT UP LP PV AP EN FL LC19/09/26 RU19/09/26 OT CT FR TD TYPE OF SOLUTION= PROJECTED CLOSE CODE= CUST INST LVL/SU= FAILING MODULE= SSLCIPHS FAILING LVL/SU= 710 SYSROUTE OF: RET APAR= PS= STATUS DETAIL= SHIPMENT RELIEF AVAILABLE= COMP OPER ENV= 710 N N SCP/ F/ TYPE OF SOLUTION= PROJECTED CLOSE CODE= CUST INST LVL/SU= FAILING MODULE= FAILING LVL/SU= SYSROUTE OF: RET APAR= N PS= STATUS DETAIL= N N N N N RELIEF AVAILABLE= COMP OPER ENV= SYSRES= SYSIN= SYSOUT= CPU= RE-IPL= OPTYPE= SPECIAL ACTIVITY= REGRESSION= PRE-SCREEN NO.= RSCP= RS710 ERROR DESCRIPTION: Cipher ECDHE_RSA_NULL_SHA (0C10) has bulk encryption set to NULL which results in no encryption if this cipher is selected during the SSL handshake. This can be misleading if encryption is expected. LOCAL FIX: This cipher can be disabled by specifying it on an EXEMPT statement in the DTCPARMS entry for the SSL server. PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: Users using SSL and ecc ciphers may wish * * to have the ECDHE_RSA_NULL_SHA cipher exempt * * as the default. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** The SSL cipher ECDHE_RSA_NULL_SHA is included in the list of enabled ciphers by default. PROBLEM CONCLUSION: The cipher ECDHE_RSA_NULL_SHA will now be exempt as the default. TEMPORARY FIX: COMMENTS: MODULES/MACROS: SSLCIPHS SRLS: NONE RTN CODES: APPLICABLE COMPONENT LEVEL/SU: R710 PSY UI64500 UP19/08/08 P 1902 CIRCUMVENTION: MESSAGE TO SUBMITTER: