Changing security protocol levels

Edit online

Security administrators can change the security protocol level for either SSL or SSH protocols. When you change the security level for either of these security protocols, you can control which encryption algorithms, ciphers, and version of the protocol are permitted on the system.

Depending on your security requirements for your organization or geography, you can change the level for both SSL and SSH protocols.

The system supports OpenSSL and Java SSL ciphers to provide strong encryption for secure connections using the SSL or TLS protocols. On new systems, the default SSL protocol level is 1 and the default SSH protocol level is 1; however you can change the SSL protocol level at any time to resolve errors or further restrict the protocol versions and ciphers that can be used for encryption.

The following table describes each security level, minimum version of SSL allowed and the supported ciphers for each level:

Table 1. Supported SSL/TLS security levels
Security level Description Minimum security allowed
1 Sets the system to disallow SSL version 3.0. TLS 1.0
2 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1. TLS 1.2
3 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. TLS 1.2
4 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. Sets the system to disallow RSA key exchange ciphers, RSA ciphers for SSH. TLS 1.2

The following table describes the SSH security levels supported by the system:

Table 2. Supported SSH security levels
Security level Key Exchange Cipher Suite MAC Algorithm
1
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1
  • diffie-hellman-group-exchange-sha1

aes256-ctr

aes192-ctr

aes128-ctr

chacha20-poly1305@openssh.com

aes256-gcm@openssh.com

aes128-gcm@openssh.com

aes256-cbc

aes192-cbc

aes128-cbc

hmac-sha2-256

hmac-sha2-512

hmac-sha2-256-etm@openssh.com

hmac-sha2-512-etm@openssh.com

hmac-sha1
2
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1

aes256-ctr

aes192-ctr

aes128-ctr

chacha20-poly1305@openssh.com

aes256-gcm@openssh.com

aes128-gcm@openssh.com

hmac-sha2-256

hmac-sha2-512

hmac-sha2-256-etm@openssh.com

hmac-sha2-512-etm@openssh.com

hmac-sha1

When you change the SSL security protocol level, you must restart any service using SSL/TLS. All current session are ended to ensure no sessions are open using the old security level. It can take a few minutes for the service to be available.

Using the command-line interface (CLI)

The chsecurity command allows you to set the ciphers and protocols that are allowed by secure interfaces to reduce the vulnerability to attack. However, changing the security level might break the connection to external systems such as web browsers and anything that is connected through CIM such as VMWare provisioning utilities or IBM® Spectrum Control software.

  1. To display your current system SSL, TLS, and SSH security settings, enter the following command: 
    lssecurity
    The results show the current setting as shown in the following example:
    sslprotocol:1
sshprotocol:1

gui_timeout_mins 120
cli_timeout_mins 60
min_password_length 8
password_special_chars 1
password_upper_case 2
password_lower_case 3
password_digits 1
check_password_history yes
max_password_history 6
min_password_age_days 1
password_expiry_days 90
expiry_warning_days 14
lockout_period_mins 1
max_failed_logins 3 
superuser_locking disabled
  2. To change SSL/TLS settings, enter chsecurity -sslprotocol security_level, where security_level is 1, 2, 3, or 4.
    Note: You might lose the connection to the management GUI when the security level is changed. If you lose the connection, use the CLI to decrease the security level to a lower setting.
  3. To change SSH settings, enter chsecurity -sshprotocol security_level, where security_level is 1 or 2.