Supported SSL and Transport Layer Security (TLS) protocols

This topic describes which versions off the SSL and TLS protocols the i5/OS™ implementation supports.

There are several versions of the SSL protocol defined. The latest version, the Transport Layer Security Protocol (TLS), is based on SSL 3.0 and is a product of the Internet Engineering Task Force (IETF). The i5/OS implementation supports the following versions of the SSL and TLS protocols:

TLS Version 1.0
TLS Version 1.0 with SSL Version 3.0 compatibility
Note:
1. Specifying TLS Version 1.0 with SSL Version 3.0 compatibility means that TLS will be negotiated if possible and if that is not possible then SSL Version 3.0 will be negotiated. If SSL Version 3.0 cannot be negotiated, the SSL handshake will fail.
2. The iSeries system also supports TLS Version 1.0 with SSL Version 3.0 and SSL Version 2.0 compatibility. This is specified with the protocol value of ALL, which means that TLS will be negotiated if possible and if that is not possible then SSL Version 3.0 will be negotiated. If SSL Version 3.0 cannot be negotiated, SSL Version 2.0 will be negotiated. If SSL Version 2.0 cannot be negotiated, the SSL handshake will fail.
SSL Version 3.0
SSL Version 2.0
SSL Version 3.0 with SSL Version 2.0 compatibility

SSL Version 3.0 versus SSL Version 2.0

SSL version 3.0 is an almost totally different protocol compared to SSL Version 2.0. Some of the major differences between the two protocols include:

SSL Version 3.0 handshake protocol flows are different than SSL Version 2.0 handshake flows.
SSL Version 3.0 uses the BSAFE 3.0 implementation from RSA Data Security, Incorporated. BSAFE 3.0 includes a number of timing attack fixes and the SHA-1 hashing algorithm. The SHA-1 hashing algorithm is considered to be more secure than the MD5 hashing algorithm. SHA-1 allows SSL Version 3.0 to support additional cipher suites which use SHA-1 instead of MD5.
SSL Version 3.0 protocol reduces man-in-the-middle (MITM) type of attacks from occurring during SSL handshake processing. In SSL Version 2.0, it was possible, though unlikely, that a MITM attack might accomplish cipher specification weakening. Weakening the cipher can allow an unauthorized person to break the SSL session key.

TLS Version 1.0 versus SSL Version 3.0

The latest industry standard SSL protocol based on SSL version 3.0 is Transport Layer Security (TLS) Version 1.0. Its specifications are defined by the Internet Engineering Task Force (IETF) in RFC 2246, The TLS Protocol..

The major goal of TLS is to make SSL more secure and to make the specification of the protocol more precise and complete. TLS provides these enhancements over SSL Version 3.0:

A more secure MAC algorithm
More granular alerts
Clearer definitions of "gray area" specifications

Any iSeries™ server applications that are enabled for SSL will automatically obtain TLS support unless the application has specifically requested to use only SSL Version 3.0 or SSL Version 2.0.

TLS provides the following security improvements:

Key-Hashing for Message AuthenticationTLS uses Key-Hashing for Message Authentication Code (HMAC), which ensures that a record cannot be altered while travelling over an open network such as the Internet. SSL Version 3.0 also provides keyed message authentication, but HMAC is more secure than the (Message Authentication Code) MAC function that SSL Version 3.0 uses.
Enhanced Pseudorandom Function (PRF) PRF generates key data. In TLS, the HMAC defines the PRF. The PRF uses two hash algorithms in a way which guarantees its security. If either algorithm is exposed, the data will remain secure as long as the second algorithm is not exposed.
Improved finished message verificationBoth TLS Version 1.0 and SSL Version 3.0 provide a finished message to both endpoints that authenticates that the exchanged messages were not altered. However, TLS bases this finished message on the PRF and HMAC values, which again is more secure than SSL Version 3.0.
Consistent certificate handlingUnlike SSL Version 3.0, TLS attempts to specify the type of certificate which must be exchanged between TLS implementations.
Specific alert messagesTLS provides more specific and additional alerts to indicate problems that either session endpoint detects. TLS also documents when certain alerts should be sent.