In Security Now! episode 396 starting at 12:22 (to 25:25) Steve and Leo were talking about various SSL attacks and how one could verify sites. I decided to check out one of my own stock IBM Connections installs i.e. I verified the stock IBM HTTP Server (IHS) install. That was not a pleasant experience as the default IBM HTTP Server is very insecure in that it accepts SSL v.2 and hence some very weak ciphers. Using SSLLabs.com and their SSL Server Test it is very easy to test a SSL site.
Below is the results from a standard IHS install using a commercial SSL certificate. A grade of F isn’t nice.
After reading a bit on mod_ssl (the SSL module in Apache / IHS) I added the below lines to the mod_ssl section in the httpd.conf file.
## SSLv3 128 bit Ciphers SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5 SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
Now I’m not a SSL wizard by any means so I suggest you do your own research as well but when I restarted the IHS I got a rating of A. BAM!! How’s them apples!?
How secure is the SSL stack for your IBM Connections environment?
Mikkel, thanks for posting this. You might also find this post to be of use: –
Advanced security hardening in WebSphere Application Server V7, V8 and V8.5, Part 1: Overview and approach to security hardening
which has a good section on IHS hardening.