On Wed, 28 Jan 2009 14:55:48 -0600, Hal Merritt <hmerr...@jackhenry.com> wrote: >I've been 'asked' by auditors to disallow 'anonymous ciphers' suites. I don't specify anything in my TCPPARMS so I guess I need to specify a list of acceptable suites. Can anyone point me to a list and/or craft such a list of supported suites? > >We are z/os 1.7 with a 1.9 implementation plan in progress.
You can find a list of the suites that System SSL supports in the (at z/OS R9) System SSL Programming book, at http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/GSKA1A50/6.12?SHELF=EZ2ZO10K&DT=20070508220341 or http://preview.tinyurl.com/bt4fy8 (Note: the book title changed at z/OS R10 to something like Secure Sockets Programming.) What you'll find there is the list of supported suites, and the default suites if the application does not override them. You'll also see that "anonymous cipher" is not in the list of suites that z/OS System SSL supports. It's use is deprecated as it can suffer from man-in-the-middle attacks, and so we did not implement it in System SSL. You'll also understand from reading that API description that while it gives you the list of suites we support, that if you did have to do any configuration in this area you'd have to be configuring individual applications. And that thought (thanks to one of my colleagues) leads to a potential concern if you have any Java-based applications that are using SSL. As I understand it our Java implementation does not make use of System SSL, and as a result may (I'm not sure) allow anonymous cipher usage with SSL. But for non-Java cases (FTP with SSL, HTTPS, etc.) you should be OK without doing anything. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
