What's new for IBM® i 7.3

Read about new or significantly changed information for Secure Sockets Layer/Transport Layer Security.

What's new as of April 2020

The following support was added to System SSL/TLS as part of PTFs. See https://www.ibm.com/support/pages/node/6151287 for more information on the PTFs to install for the support.

RFC 8446 defines version 1.3 of the TLS protocol. Support for Tranport Layer Security protocol version 1.3 (TLSv1.3) was added. See the System SSL/TLS system level settings for the enabled and default attributes that were updated to include the new TLSv1.3 values.
- See Protocol configuration for updates to the System SSL/TLS enabled and default protocols.
- See Cipher suite configuration for updates to the System SSL/TLS enabled and default cipher suites.
- See Signature algorithms for updates to the System SSL/TLS enabled and default Certificate selection and Message signature.
- See Supported groups for more information on how TLSv1.3 and TLSv1.2 protocols interpret the elliptic curve groups setting.
The TLSv1.3 protocol significantly altered existing handshake message formats, and added and removed other handshake messages. Early TLSv1.3 adopters encountered handshake failures as a result of middleboxes on the network between the client and server not understanding the new protocol. TLSv1.3 RFC 8446 Appendix D defines an optional Middlebox Compatibility Mode applications can use to mitigate middlebox issues in the network. For more information, see Middlebox compatibility mode.
The TLSv1.3 protocol eliminated renegotiation. Renegotiation is only applicable to TLSv1.2 and earlier protocol versions. The TLSv1.3 protocol uses Key update processing to generate new read and write keys for an existing secure session. This replaces renegotiation and its deficiencies with a simple key update mechanism.
System SSL/TLS allows up to four certificates to be assigned to a secure environment. For information on how the TLSv1.3 secure protocol affects the certificate selection process, see Multiple certificate selection.
Digital Certificate Manager (DCM) manages an application database that contains application definitions. System SSL/TLS users know this application definition as an “Application ID. The application definitions were updated to encapsulate the following System SSL/TLS attributes for the application.
The Retrieve TLS Attributes (QsoRtvTLSA) API allows the retrieval of the system-wide System SSL/TLS current default properties. The properties can be changed and viewed with TLSCONFIG. The benefit of QsoRtvTLSA is it can be included in programs or scripts for health check actions.
ChaCha20Poly1305 cipher suite support was added for the TLSv1.2 protocol. *ECDHE_ECDSA_CHACHA20_POLY1305_SHA256 and *ECDHE_RSA_CHACHA20_POLY1305_SHA256 were added to both the supported and default cipher suite lists. See Cipher suite configuration for updates to the cipher suite lists.
Elliptic Curve support for Curve25519(x25519) and Curve448(x448) were added to both the supported and default lists of supported groups. See Supported groups for updates to the list of supported groups.
System SSL/TLS added support for Online Certificate Status Protocol (OCSP) stapling in the TLSv1.3 and TLSv1.2 protocols. This support allows client applications to send a certificate status request extension as part of the TLS handshake, as defined in RFC 6066, requesting that the server complete OCSP requests on behalf of the client. Based on the server's OCSP configuration, server applications enabling this new support query an OCSP responder and send the OCSP response back to the client. See Online Certificate Status Protocol for more information on OCSP stapling.

What's new as of November 2016

The 3DES cipher suites should not be used due to the Sweet32 vulnerability. PTF MF62780 removes the 3DES cipher suite from the System SSL default eligible cipher suite list. For more information, see Cipher suite configuration.

System SSL/TLS Enhancements

Updated System SSL/TLS Protocol configuration to describe enabled and default protocols and configuration options to change these values.
Updated System SSL/TLS Cipher suite configuration to describe enabled and default cipher suites and configuration options to change these values.
Updated the default Signature algorithms used by System SSL/TLS.
Added support to specify the Minimum RSA key size allowed for a certificate that is used by System SSL/TLS for a secure handshake.
Added Supported groups to describe configuration options to change the ECDSA key sizes that are allowed for System SSL/TLS.
Added information on how to stay up to date on Security bulletins.
Added details for How to determine what System SSL/TLS protocols and cipher suites are used on the system.

How to see what's new or changed

To help you see where technical changes have been made, the information center uses:

The image to mark where new or changed information begins.
The image to mark where new or changed information ends.

In PDF files, you might see revision bars (|) in the left margin of new and changed information.

To find other information about what's new or changed this release, see the Memo to users.