IBM Support

How do I remove the null cipher from the list of acceptable ciphers for z/OS Communications Server IP?

Question & Answer


Question

How do I remove the null cipher from the list of acceptable ciphers for secure FTP and AT-TLS?

Answer

The default ciphers used by System SSL support a null cipher, which has no encryption or authentication.

The null ciphers for secure FTP are:

  • SSL_NULL_MD5

  • SSL_NULL_SHA

To remove the null ciphers from the acceptable list of ciphers used by secure FTP, code CIPHERSUITE statements that specify non-null ciphers only.

The null ciphers for secure Telnet are:

  • SSL_NULL_SHA

  • SSL_NULL_MD5

  • SSL_NULL_Null

To remove the null ciphers from the acceptable list of ciphers used by secure Telnet, code your ENCRYPTION statement to specify non-null ciphers only.

The null ciphers for AT-TLS are:

  • TLS_NULL_WITH_NULL_NULL

  • TLS_RSA_WITH_NULL_MD5

  • TLS_RSA_WITH_NULL_SHA

  • TLS_RSA_WITH_NULL_SHA256 (starting with V2R1)

  • TLS_ECDH_ECDSA_WITH_NULL_SHA (starting with V2R1)

  • TLS_ECDHE_ECDSA_WITH_NULL_SHA (starting with V2R1)

  • TLS_ECDH_RSA_WITH_NULL_SHA (starting with V2R1)

  • TLS_ECDHE_RSA_WITH_NULL_SHA (starting with V2R1)

To remove the null ciphers from the acceptable list of ciphers used by AT-TLS,

  • code non-null ciphers only on the V3CipherSuites parameter of your TTLSCipherSuites statement, if hard-coding your AT-TLS policy.

  • if using zOSMF Configuration Assistant, avoid selecting the null ciphers in the Security Level dialog of the AT-TLS perspective.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
13 April 2018

UID

dwa1190076