Fixes are available
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
The default ciphers for TLS 1.1 and TLS 1.2 includes a few weak/null ciphers.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of IBM Caching Proxy * **************************************************************** * PROBLEM DESCRIPTION: The default ciphers for TLS 1.1 and * * TLS 1.2 includes a few weak/null * * ciphers. * **************************************************************** * RECOMMENDATION: * **************************************************************** Several weak ciphers were removed from the TLS 1.1 default ciphers list. The ciphers that were removed from the default ciphers list for TLS 1.1 are: 05 - TLS_RSA_WITH_RC4_128_SHA 04 - TLS_RSA_WITH_RC4_128_MD5 09 - TLS_RSA_WITH_DES_CBC_SHA 02 - TLS_RSA_WITH_NULL_SHA 01 - TLS_RSA_WITH_NULL_MD5 Two weak ciphers were removed from the TLS 1.2 default ciphers list. The ciphers that were removed from the default ciphers list for TLS 1.2 are: 3B - TLS_RSA_WITH_NULL_SHA256 02 - TLS_RSA_WITH_NULL_SHA Note that the removed ciphers were not preferred ciphers.
Problem conclusion
IBM Caching Proxy will no longer use the weak ciphers for TLS 1.1 and TLS 1.2 by default. The default cipher list for can be overrided using the TLSV11CipherSpecs and TLSV12CipherSpecs directives. The default ciphers for TLS 1.1 are now: 2F - TLS_RSA_WITH_AES_128_CBC_SHA 35 - TLS_RSA_WITH_AES_256_CBC_SHA 0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA The default ciphers for TLS 1.2 are now: 9C - TLS_RSA_WITH_AES_128_GCM_SHA256 9D - TLS_RSA_WITH_AES_256_GCM_SHA384 3C - TLS_RSA_WITH_AES_128_CBC_SHA256 3D - TLS_RSA_WITH_AES_256_CBC_SHA256 2F - TLS_RSA_WITH_AES_128_CBC_SHA 35 - TLS_RSA_WITH_AES_256_CBC_SHA 0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA This fix will be included in IBM Caching Proxy fixpacks: - 8.0.0.14 - 8.5.5.12 - 9.0.0.4
Temporary fix
The weak ciphers can be removed by specifying the desired ciphers using the TLSV11CipherSpecs and TLSV12CipherSpecs directives.
Comments
APAR Information
APAR number
PI74512
Reported component name
WEBS CACH PROXY
Reported component ID
5724H8810
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-01-09
Closed date
2017-01-09
Last modified date
2017-01-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS CACH PROXY
Fixed component ID
5724H8810
Applicable component levels
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
03 May 2022