Considering the POODLE attack, I want to disable the SSLv3 in my web app deployed on IBM WebSphere 6. There are a few concerns I cant address:
1. How to disable SSL and enable TLS in WAS 6.0 and 6.1?
2. When a client hits the url of my application in browser, and the browser supports SSL, the request will be initiated with SSL. Is there such a possibility wherein end user will get a handshake exception as the WAS 6 will have SSL disabled?
3. Is there a change required in application configuration or changing web server properties will help?
You don't need to change anything in your application.
There is already fixpack provided for latest WebSphere versions - check this page Vulnerability in SSLv3 affects IBM WebSphere Application Server
For V6.1.0.0 through 6.1.0.47:
Apply Interim Fix PI28796 : Will upgrade you to IBM Java SDK Version 5.0 Service Refresh 16 Fix Pack 7 + APAR IV66111 for change to
disable SSLv3 by default.
6.0 is soo old, that I don't remember if it even supports TLS. You will have to dig in the admin console somewhere in SSL settings (the exact path might be different) Security > SSL > SSL_configuration_name and change the protocol to TLS.
If you access WebSphere via web server (Apache or IHS), then you need to disable SSLv3 on the web server instead of application server. For details see Vulnerability in SSLv3 affects IBM HTTP Server
Add the following directive to the httpd.conf file to disable SSLv3
and SSLv2 for each context that contains "SSLEnable":
# Disable SSLv3 for CVE-2014-3566
# SSLv2 is disabled in V8R0 and later by default, and in typical V7
# and earlier configurations disabled implicitly when SSLv3 ciphers
# are configured with SSLCipherSpec.
SSLProtocolDisable SSLv3 SSLv2
Stop and restart IHS for the changes to take affect.
Related
I just received an email from Authorize.net informing that they deactivate connections to their server using TLS1.0 and TLS1.1.
Question are Godaddy SSL and Web Host set for TLS1.2 connections and is there anything need to change for configure TLS1.2 for my site?
How to check which TLS use in my website?
How to check which TLS use in my website?
Use Qualys SSL Labs vulnerability tester to check which TLS version you are using: https://www.ssllabs.com/ssltest/
You may certainly see that you support several versions (this is the most common case).
Question are Godaddy SSL and Web Host set for TLS1.2 connections and is there anything need to change for configure TLS1.2 for my site?
You have nothing to do, web hosting services by GoDaddy are already supporting TLS 1.2 connections (and TLS 1.0 and TLS 1.1 - they do not support SSL v3 nor SSL v2 anymore, and it's a good thing).
I'm running a web application that communicates with various APIs. One API requires TLSv1.2 while another will not support something that current (TLSv1 or TLSv1.1).
Does Websphere support multiple SSL versions?
I've found documentation about successfully changing the version of SSL, however I really need to be able to run TLSv1.1 and 1.2 together (if that's even possible) or run one version for one application while another for another application.
According to documentation for setting up SSL in WebSphere, to support the use of TLS 1.0, 1.1 and 1.2, I need to enable SSL_TLSv2:
Question: WAS is act SSL client, What does remote SSL server support
only TLSv1.0 or TLSv1.1 and Similar WAS is act SSL Server, What does
Remote SSL client does support only TLSv1.0 or TLSv1.1 or TLSv1.2.
What to do in order to work such environments?
Answer: There is an alternative option, SSL_TLSv2, which will enable
support for TLSv1.0, TLSv1.1, and TLSv1.2 in the environment. Please
use this setting SSL_TLSv2 in environments where support for multiple
TLS protocols is required, or if you are not sure whether your WAS
environment interacts with other servers or clients using non-TLSv1.2
protocols then, you can configure WAS to use SSL_TLSv2 using same
steps as given in the above.
Note:
Without poddle fix and configured WAS to use SSL_TLSv2
SSL_TLSv2 ==> Enables all SSL v3.0 and TLS v1.0, v1.1 and v1.2
protocols. Accepts SSLv3 or TLSv1 hello encapsulated in an SSLv2
format hello.
If you installed Poddle fix (will disable SSLv3 ) and configured WAS
to use SSL_TLSv2
SSL_TLSv2 ==> Enables these three TLS v1.0, v1.1 and v1.2 protocols.
So, changing the QoS settings to SSL_TLSv2 allows SSL Handshakes to multiple TLS versions when required.
I am working on WebSphere clustering. Everything was working fine. But for SSL, I accidentally change protocol from SSL_TLS to TLSV1.2.
I have changed it here
Security - - SSL certificate and key management - - SSL configuration - - CellDefultsetting - QOP - protocol
And now my administrator console is not opening.
Error in logs :
CWPKI0028E: SSL handshake protocol "SSLv2" is not valid. This protocol is specified in the SSL configuration alias "CellDefaultSSLSettings" loaded from SSL configuration file "security.xml".
The extended error message is: "no such algorithm: SSLv2 for provider IBMJSSE2".
I checked security.xml in cell, but the value f SSL protocol is still SSL_TLS.
Where do I need to revert the changes done in console? Console is no more opening.
First make sure that your browser supports TLSv1.2 and is enabled. If not, try to open admin console from a different browser which supports TLSv1.2.
If you really need to disable admin security so that you can change back the SSL settings, here is a document:
http://www-01.ibm.com/support/docview.wss?uid=swg21405302
This is closely related to
Using nxlog to ship logs in to logstash from Windows using om_ssl
Using SSL to ship from NXlog to Logstash
I have a working NXlog and Logstash configuration as described in the above links.
However, the TLS connection fails with following exception in the logstash log:
OpenSSL::SSL::SSLError: Client requested protocol SSLv3 not enabled or not supported
It seems that NXlog relies on SSLv3 instead of TLS 1.x to do the SSL handshake. However, the former has been disabled in recent Java versions (as used by logstash) due to the POODLE vulnerability.
So how can I disable SSLv3 on the client side and force NXlog to use TLS 1.2?
I have to answer this one myself (after getting help on the NXlog community forum).
TLS is only supported by nxlog-ce-2.9.1347 and later.
I am planning to disable SSL protocol in my site and moving to the TLS secure protocol. I will be making the configuration change in httpd. Does it require any changes to the server and client certificates or credentials which are already in place?
No it doesn't. Only the supportedProtocols needs to change.