12-14-2015
344,
99
Join Date: Feb 2015
Last Activity: 18 February 2020, 9:58 AM EST
Location: basement, Lubyanka, Moscow
Posts: 344
Thanks Given: 8
Thanked 99 Times in 88 Posts
Unfortunately nobody can understand what your security dept requires from you. As for me it seems that they even don't understand what they want. You have to speak with them and make clear:
1. There is no single point in a UNIX operating system, where you can enable or disable a cipher. Every application can implement its own cipher and you have no control over it.
2. There are at least 2 "cipher libraries" - IBM's GSKit and OpenSSL. OpenSSL can be IBM-compiled, Perzl-compiled, Michael Felt-compiled, Bull-compiled, and own-compiled. As far as I remember, Michael Felt also has LibreSSL for AIX, but he knows it better and he is sometimes here. This is the 3rd "cipher library", which can be used.
3. There are some places, even in AIX, which have nothing common with these libraries. E.g. password hashing is implemented using so called Loadable Password Algorithm (LPA) modules. AIX has modules for MD5, SHA1, SHA256, SHA512, Blowfish. If somebody requires some other module, they have to develop it on their own.
4. There is 3rd party software, which has their own cipher modules, and doesn't depend on libraries. The best example is OpenSSH. You can have IBM-compiled OpenSSH, or Michael's compiled OpenSSH. You can also have some other SSH-based servers and clients, e.g. Tectia SSH server. And you're right, when you speak about Java - it has its own SSL implementation.
Just to make it easy - you are not the only one, who receives such stupid requirements from people thinking they are "security professionals" and who've read yesterday for the first time in the lifes about POODLE or some other bug in OpenSSL. Your duty as a professional system administrator is to speak with them and make them clear that their requirements too inaccurate and cannot be implemented without additional information.