IBM recently published a security bulletin about an SSLv3 vulnerability called the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. This vulnerability could give a remote attacker plaintext access to what would otherwise be an encrypted SSL session.
SSLv3 is enabled by default on the IBM HTTP Server, so we recommend disabling SSL and using TLS exclusively for https. With the exception of IE6 on Windows XP, most of today’s browsers connect using TLSv1 by default. SSLv3 is really only in place for older browsers and compatibility but because it’s now vulnerable, IBM recommends switching that protocol off.
You can disable SSLv3 in the IBM HTTP Server via the system value QSSLPCL:
Run this command on the command line:
CHGSYSVAL SYSVAL(QSSLPCL) VALUE(‘*TLSV1 *TLSV1.1 *TLSV1.2′)
This will disable SSLv2 and SSLv3 for the entire IBM i and push all SSL traffic to use TLS instead. For example, if you have Telnet SSL enabled, you won’t be able to access it with SSLv3 anymore.
Alternately, you can disable SSLv2 and SSLv3 via the Digital Certificate Manager:
- Go into the Digital Certificate Manager
- Head to the *SYSTEM store
- Select “Manage Applications”
- Select “Update application definition”
- Find your application and click on “Update application”
- You can then disable SSLv2 and SSLv3
- You’ll need to restart your Apache instance for the setting to apply.
Afterward, you can use openssl to test your site to see if it’s still accepting SSLv2 or SSLv3:
Run the following command:
openssl s_client -connect www.yoursite.com:443 -ssl3
You should receive a similar rejection for SSLv3:
CONNECTED(00000003)
1102:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:
/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:290:
And for SSLv2:
$ openssl s_client -connect www.yoursite.com:443 -ssl2
CONNECTED(00000003)
1108:error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher:
/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s2_pkt.c:674:
1108:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:
/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s2_pkt.c:427:
Posted by Paul on 19th November 2014.