Missing Cipher Suites in the CA LDAP log
search cancel

Missing Cipher Suites in the CA LDAP log

book

Article ID: 236491

calendar_today

Updated On:

Products

LDAP SERVER FOR Z/OS

Issue/Introduction

Window2016 Server requires one of these ciphers :

 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

 

These Cipher suites do not appear in the LDAP documentation (TLSCipherSuite) and, starting LDAP with DEBUG= -1 these Cipher Suites do not appear in the list of available cipher suites.

 

Environment

Release : 15.1

Component : LDAP Server

Resolution

In the LDAP documentation, we only provide a sample of all the available cipher suite names.

The cipher suites that are available are based on the IBM System SSL component.

 

The following ciphers are all supported:

 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

 

The format of the information that appears in the log under the "TLS: available cipher suites" section uses the 4-character Cipher number of the Cipher Suite as a reference.

 

The 4-character cipher suites definitions  are available at the following link:

 

4-character cipher suite definitions

 

According to the information from the previous list the 4 characters associated with some of the Cipher suites are the following:

 

4- Character     Cipher name 
---------------------------------------------------------
C02C             TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

C02B             TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

C030             TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

C02F             TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

009D             TLS_RSA_WITH_AES_256_GCM_SHA384

009C             TLS_RSA_WITH_AES_128_GCM_SHA256



And in the "TLS: available cipher suites"  list that appears in the LDAP log these Cipher Suites appear as:


C02C: Kx=ECDHE Enc=AES(256)  Mac=AEAD

C02B: Kx=ECDHE Enc=AES(128)  Mac=AEAD

C030: Kx=ECDHE Enc=AES(256)  Mac=AEAD

C02F: Kx=ECDHE  Enc=AES(128)  Mac=AEAD

009D: Kx=RSA   Enc=AES(256)  Mac=AEAD

009C: Kx=RSA   Enc=AES(128)  Mac=AEAD

 

In Summary:

To verify if a Cipher Suite is available to CA LDAP check the 4 Character code in the 4-character cipher suite definitions and then check if the corresponding 4- Character appears in the LDAP log under the "TLS: available Cipher suites" section.

Additional Information

Cipher suite definitions and the corresponding 4-Character identifiers are available at the following link (Table 2) :

4-character cipher suite definitions for SSL V3, TLS V1.0, TLS V1.1, TLS V1.2, and TLS V1.3

Powered by Wolken Software