Hello Everyone,
Hope you all are doing well. Today I had a task to disable the SSLv3 and SSLv2 protocol on IBM Http Server (HIS). SSLv3 is enabled by default in the Apache based IBM HTTP Server and which cause a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE). In which IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections. This vulnerability affects all versions and releases of IBM HTTP Server (IHS) component in all editions of WebSphere Application Server and bundling products.
1. First you need to find the file where you have a setting for the SSL configuration. In most of the environment it's a httpd.conf but in some cases if you are using different file you can find the file using below command.
grep -i -r "SSLEnable" /opt/IBM/HTTPServer/
/opt/IBM/HTTPServer/ is Webserver home
2. Take backup of the configuration file e.g. httpd.conf
3. Edit the configuration file to add below line after the SSLEnable section
SSLProtocolDisable SSLv3 SSLv2
It will look like below stanza in configuration file
<VirtualHost *:${HTTPD_PORT}>
SSLEnable
SSLProtocolDisable SSLv3 SSLv2
#SSLAttributeSet 471 1
#SSLClientAuth required
</VirtualHost>
4. Restart The IBM Http Server
Hope this will help you. Kindly comment for your suggestion and quires.
"Effort only fully releases its reward after a person refuses to quit.”
Regards,
Akhilesh B. Humbe
Hope you all are doing well. Today I had a task to disable the SSLv3 and SSLv2 protocol on IBM Http Server (HIS). SSLv3 is enabled by default in the Apache based IBM HTTP Server and which cause a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE). In which IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections. This vulnerability affects all versions and releases of IBM HTTP Server (IHS) component in all editions of WebSphere Application Server and bundling products.
Resolution:
To resolve this issue IBM recommends to disable SSLv3Procedure:
As it's a process of disabling SSLv3 on Web Server we and have different option available on different Web servers and you may get confused about that. Here we are disabling SSLv3 on IBM Http Server, so we check the procedure to disable the SSlv3 protocol on HIS.1. First you need to find the file where you have a setting for the SSL configuration. In most of the environment it's a httpd.conf but in some cases if you are using different file you can find the file using below command.
grep -i -r "SSLEnable" /opt/IBM/HTTPServer/
/opt/IBM/HTTPServer/ is Webserver home
2. Take backup of the configuration file e.g. httpd.conf
3. Edit the configuration file to add below line after the SSLEnable section
SSLProtocolDisable SSLv3 SSLv2
It will look like below stanza in configuration file
<VirtualHost *:${HTTPD_PORT}>
SSLEnable
SSLProtocolDisable SSLv3 SSLv2
#SSLAttributeSet 471 1
#SSLClientAuth required
</VirtualHost>
4. Restart The IBM Http Server
Hope this will help you. Kindly comment for your suggestion and quires.
"Effort only fully releases its reward after a person refuses to quit.”
Regards,
Akhilesh B. Humbe
No comments:
Post a Comment