« previous next »
Pages: [1]

Author Topic: How to remove vulnerable ciphers  (Read 900 times)

Sue

  • Newbie
  • *
  • Posts: 2
    • View Profile
How to remove vulnerable ciphers
« on: November 13, 2021, 06:33:58 AM »
Penetration tests are showing vulnerabilities on the port that arssockd listens on: 3DES-CBC SHA1.
I have added ARSSOCK_STRICT_SHA2_ONLY_CERTS=1 to ars.cfg file, cycled arssockd. vulnerability is still there.
I have a case opened with IBM. The support person claims that the ssl certificate is determining cipher used, which I believe is incorrect.  I believe the cipher is negotiated prior to certificate exchange, and cert is used for authentication, not cipher negotiation.

Any suggestions how I might correct this issue ?  Is there an equivalent parameter for 3DES to add to ars.cfg file ?
« Last Edit: November 13, 2021, 07:45:28 AM by Sue »
Logged

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2229
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: How to remove vulnerable ciphers
« Reply #1 on: November 15, 2021, 09:14:22 AM »
As far as GSKit is concerned, there is no (documented?) way to pre-select which specific, individual ciphers are used for communications, but you can disable the old version of TLS with GSK_PROTOCOL_TLSV1=0.  I suspect this needs to be exported as an environment variable before you start the CMOD arssockd daemon.

Since 3DES-CBC-SHA1 is not a public key algorithm, your security folks are more likely concerned with protecting communications, and are probably confused about how the certificate factors into this.

The parameter you've set in the CMOD ars.ini file simply prevents insecure certificates from being used, it doesn't factor into the selection of ciphers - See:  https://cmod.wiki/index.php?title=ars.ini#Unlisted_CMOD_Configuration_Parameters

Your best bet is to open a new ticket, asking how to configure the ciphers that GSKit presents to clients, or for other recommended flags to set as environment variables to modify GSKit's behaviour.

-JD.

Logged
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1199
    • View Profile
Re: How to remove vulnerable ciphers
« Reply #2 on: November 15, 2021, 01:34:53 PM »
Sue - are you on z?

This is how we input those parms when we were doing testing, copied from a test ARSSOCKD:

XXARSSOC95 EXEC PGM=ARSSOCKD,REGION=0M,TIME=NOLIMIT, 
* PARM='ENVAR(GSK_PROTOCOL_TLSV1_2=ON,GSK_V3_CIPHER_SPECS=3C)  Pick one, can't both be active
* PARM='ENVAR(GSK_PROTOCOL_TLSV1_2=ON,GSK_PROTOCOL_TLSV1=0)    Pick one, can't both be active 
             /-S -I ARCH950 -v'          

Ed                 
Logged
#zOS #ODF

Sue

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: How to remove vulnerable ciphers
« Reply #3 on: November 15, 2021, 03:02:04 PM »

Thank you for your reply. I am on multiplatform.  I have the following configured:
ARSSOCK_TLSV12_ONLY=1
ARSSOCK_STRICT_SHA2_ONLY_CERTS=1

Based on further testing over the weekend, I believe that I need to block the 3DES/TDES/TDEA cipher and am trying to determine if there is an additional parameter for this.  I am also awaiting a response from IBM.
Logged
Pages: [1]
« previous next »