Use this list:

SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
SSLCipherSpec SSL_RSA_WITH_DES_CBC_SHA
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSLCipherSpec SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

There is an in-depth discussion of this in the mailing list archives at
http://www.ignite400.org.

Matt

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Jones, John (US)
Sent: Tuesday, October 23, 2007 3:01 PM
To: Web Enabling the AS400 / iSeries
Subject: [WEB400] Eliminating sub-128 bit encryption

Has anyone configured their i5/OS Apache web server that already uses
SSL to not support weak encryption standards, i.e. 40 & 56-bit? If so,
which protocols did you leave enabled? As we currently do TLS 1.0 with
SSL 3.0, I'm thinking the httpd.conf would look like this:

SSLVersion TLSV1_SSLV3
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

Is there anything else special that needs to be done?

At
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/r
zain/rzainplanssl.htm , IBM has this: "Note: If you want to restrict SSL
from supporting less than 128 bits of secret material within the
symmetric key, click the Send feedback link located at the top of this
page and fill out the form with your contact information. In the
comments section of the form, include the following text "I would like
instructions on how to restrict SSL from supporting less than 128 bits
of secret material within the symmetric key on a system running V5R3
OS/400" and click Submit. You will be contacted with further
instructions."

As that comment is in the same bullet as Crypto Access Provider, it
makes me wonder if a tweak to 5722-AC3 is needed. I sent in the
feedback as requested; hopefully IBM will respond shortly.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.