PI74512: UPDATE IBM CACHING PROXY'S DEFAULT CIPHERS FOR TLS 1.1 AND TLS 1.2.

Fixes are available

APAR status

Closed as program error.

Error description

The default ciphers for TLS 1.1 and TLS 1.2 includes a few
weak/null ciphers.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  Users of IBM Caching Proxy                  *
****************************************************************
* PROBLEM DESCRIPTION: The default ciphers for TLS 1.1 and     *
*                      TLS 1.2 includes a few weak/null        *
*                      ciphers.                                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Several weak ciphers were removed from the TLS 1.1 default
ciphers list. The ciphers that were removed from the default
ciphers list for TLS 1.1 are:
05 - TLS_RSA_WITH_RC4_128_SHA
04 - TLS_RSA_WITH_RC4_128_MD5
09 - TLS_RSA_WITH_DES_CBC_SHA
02 - TLS_RSA_WITH_NULL_SHA
01 - TLS_RSA_WITH_NULL_MD5
Two weak ciphers were removed from the TLS 1.2 default ciphers
list. The ciphers that were removed from the default ciphers
list for TLS 1.2 are:
3B - TLS_RSA_WITH_NULL_SHA256
02 - TLS_RSA_WITH_NULL_SHA
Note that the removed ciphers were not preferred
ciphers.

Problem conclusion

IBM Caching Proxy will no longer use the weak ciphers for
TLS 1.1 and TLS 1.2 by default. The default cipher list for
can be overrided using the TLSV11CipherSpecs and
TLSV12CipherSpecs directives.

The default ciphers for TLS 1.1 are now:
2F - TLS_RSA_WITH_AES_128_CBC_SHA
35 - TLS_RSA_WITH_AES_256_CBC_SHA
0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA

The default ciphers for TLS 1.2 are now:
9C - TLS_RSA_WITH_AES_128_GCM_SHA256
9D - TLS_RSA_WITH_AES_256_GCM_SHA384
3C - TLS_RSA_WITH_AES_128_CBC_SHA256
3D - TLS_RSA_WITH_AES_256_CBC_SHA256
2F - TLS_RSA_WITH_AES_128_CBC_SHA
35 - TLS_RSA_WITH_AES_256_CBC_SHA
0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA

This fix will be included in IBM Caching Proxy fixpacks:
 - 8.0.0.14
 - 8.5.5.12
 - 9.0.0.4

Temporary fix

The weak ciphers can be removed by specifying the desired
ciphers using the TLSV11CipherSpecs and TLSV12CipherSpecs
directives.

Comments

APAR Information

APAR number
PI74512
Reported component name
WEBS CACH PROXY
Reported component ID
5724H8810
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-01-09
Closed date
2017-01-09
Last modified date
2017-01-09

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS CACH PROXY
Fixed component ID
5724H8810

Applicable component levels

R800 PSY
UP
R850 PSY
UP
R900 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
03 May 2022

Tips

PI74512: UPDATE IBM CACHING PROXY'S DEFAULT CIPHERS FOR TLS 1.1 AND TLS 1.2.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R800 PSY

R850 PSY

R900 PSY

Document Information

Share your feedback

Need support?