XCOM LUW first PTF with default DH modulus as 1024 (dh_1024) in configssl.cnf
search cancel

XCOM LUW first PTF with default DH modulus as 1024 (dh_1024) in configssl.cnf

book

Article ID: 378927

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Linux PC XCOM Data Transport - Windows

Issue/Introduction

What were the first PTFs for XCOM for Linux (11.6, 12.0), Unix (11.6), Windows (11.6 and 12.0) where the configssl.cnf file changed the default Diffie Hellman (DH) modulus to be 1024 (dh_1024) with dh_512 disabled?

Resolution

In summary, XCOM patches for "CVE-2022-0778 possible infinite loop" delivered the DH 1024 change.

XCOM for Windows
11.6 SP03: LU06617 (r116 SP03 22076 64bit)
12.0: The GA release already has the change.

a. The CAPKI version can be verified with the following 2 commands:
    "C:\Program Files\CA\XCOM\redistrib\etpki\setup.exe" discover
    type %temp%\capki_install.log

------------Starting Discovery-------------
CAPKI version currently installed is 5.2.9
CAPKI is currently installed in C:\Program Files\CA\SC\CAPKI
-------------Discovery Complete-----------

b. To check the underlying OpenSSL version, use command, use the SysInternals Strings utility. If using the command strings.exe for the first time, it will prompt. Use it without arguments to acknowledge the prompt, and then use the following command:
    <SysInternals path>\strings.exe "C:\Program Files\CA\SC\CAPKI\CAPKI5\Windows\amd64\64\lib\libcaopenssl_crypto.dll" | find '"EVP part of OpenSSL 1."'
    EVP part of OpenSSL 1.0.2ze-fips  3 May 2022


XCOM for Linux
11.6 SP01: LU06387 (r11.6 22066 SP01 64bit)
12.0 SP00: LU06290 (r12.0 22065 64bit

a. The CAPKI version can be verified with the following command:
    cat /opt/CA/SharedComponents/CAPKI/CAPKI5/Linux/amd64/64/.installdb
    CurrentVersion 5.2.9
    CAXCOM 5.2.9

b. To check the underlying OpenSSL version, use command:
    strings /opt/CA/SharedComponents/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_crypto.so|grep 'EVP part of OpenSSL 1.'
    EVP part of OpenSSL 1.0.2ze-fips  3 May 2022


XCOM for AIX
11.6 SP01: LU06421 (r11.6 22066 SP01 64bit).

a. The CAPKI version can be verified with the following command:
    cat /opt/CA/SharedComponents/CAPKI/CAPKI5/AIX/powerpc/xlc64/.installdb
    CurrentVersion 5.2.9
    CAXCOM 5.2.9

b. To check the underlying OpenSSL version, use command:
    strings -a /opt/CA/SharedComponents/CAPKI/CAPKI5/AIX/powerpc/xlc64/lib/libcaopenssl_crypto.so | grep 'EVP part of OpenSSL 1.'
    EVP part of OpenSSL 1.0.2ze-fips  3 May 2022



XCOM for Solaris

1. SPARC: LU06545 (r11.6 SP01 22066 64bit)

a. The CAPKI version can be verified with the following command:
    cat /opt/CA/SharedComponents/CAPKI/CAPKI5/SunOS/sparc/64/.installdb
    CurrentVersion 5.2.9
    CAXCOM 5.2.9

b. To check the underlying OpenSSL version, use command:
    strings /opt/CA/SharedComponents/CAPKI/CAPKI5/SunOS/sparc/64/lib/libcaopenssl_crypto.so|grep 'EVP part'
    EVP part of OpenSSL 1.0.2ze-fips  3 May 2022


2. x86: LU06464 (r11.6 SP01 22066 64bit)

a. The CAPKI version can be verified with the following command:
    cat /opt/CA/SharedComponents/CAPKI/CAPKI5/SunOS/amd64/64//.installdb
    CurrentVersion 5.2.9
    CAXCOM 5.2.9

b. To check the underlying OpenSSL version, use command:
    strings /opt/CA/SharedComponents/CAPKI/CAPKI5/SunOS/amd64/64/lib/libcaopenssl_crypto.so|grep 'EVP part'
    EVP part of OpenSSL 1.0.2ze-fips  3 May 2022

Additional Information

The XCOM ping command can be used to check the fix level for all platforms.

Powered by Wolken Software