Help needed to close the VA point - Weak SSL Cipher and TLS version in Connections 6.5 ( IBM HTTP Server )

We have the IBM HTTP server installed on the Linux OS and received below two VA security points to close it.

1. Weak SSL Ciphers to be completely removed on the IBM HTTP server.
2. Enable TLS1.2 and disable all SSL and TLS protocols in the IBM HTTP server.

IHS - IBM HTTP Server 8.5.5.10
OS - RHEL 7.8
Connections - 6.5

I have already added the below parameters in the httpd.conf but it is still appearing in the open state in the ./apachectl -DDUMP_SSL_CONFIG output as below.

SSLProtocolEnable TLSv12
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLCipherSpec TLSv12 TLS_RSA_WITH_AES_256_CBC_SHA256

Link:
https://www.ibm.com/mysupport/s/question/0D50z00006PDE4r/how-do-i-enable-only-tls-v12-and-disable-all-other-protocols-in-ibm-http-server-85?language=es

[root@myserver.com]# ./apachectl -DDUMP_SSL_CONFIG
SSL configuration:
Default server
Server name: myserver.com:80
SSL enabled: NO

SSL server defined at: /opt/IBM/HTTPServer/conf/httpd.conf:959
Server name: myserver.com:0
SSL enabled: YES
FIPS enabled: 0
Keyfile: /opt/IBM/HTTPServer/myserver.com.kdb
Protocols enabled: TLSv10,TLSv11,TLSv12
Ciphers for SSLV2: (protocol disabled)
Ciphers for SSLV3: (protocol disabled)
Ciphers for TLSv10: (defaults) TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
Ciphers for TLSv11: (defaults) TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
Ciphers for TLSv12: (defaults) TLS_RSA_WITH_AES_128_GCM_SHA256(9C),TLS_RSA_WITH_AES_256_GCM_SHA384(9D),TLS_RSA_WITH_AES_128_CBC_SHA256(3C),TLS_RSA_WITH_AES_256_CBC_SHA256(3D),TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)

Syntax OK
[root@myserver]#

Please do help. Thanks in advance.
Regards,
Elango

Hi Elango ,

As i can see you are running IBM HTTP Server 8.5.5.10 , I would suggest first to upgrade IHS & WAS to product minimum support requirement as suggested in product support documentation . Please find the below link for connection 6.5 system requirement

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0073758&sys_kb_id=2010cc82db30acd0a45ad9fcd3961971

Web Servers

Thanks & Regards

@Shrishti Raj Singh Thanks for your response. We would be updating the latest version however, do you have an idea that these VA points would be closed by updating the latest version? or else we need to add the solution parameter manually?

Hello Elango,

You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over TLS 1.2 to avoid security vulnerabilities in TLS 1.1 and earlier versions of SSL.

You can follow the below document

https://help.hcltechsw.com/connections/v65/admin/secure/t_admin_common_forcing_tls.html

Thank you.

Regards

Shrikant J

@Shrikant Jamkhandi Thanks for your response. Can you please help me in closing the weak ciphers in the IHS and WebSphere in the Connections environment?

Thank you in advance.

Hello Elango,

Please check the below documents on IBM HTTP server SSL Ciphers.

Security scan incorrectly reports that the IBM HTTP Server supports weak ciphers

https://www.ibm.com/support/pages/security-scan-incorrectly-reports-ibm-http-server-supports-weak-ciphers

SSL cipher specifications

https://www.ibm.com/support/knowledgecenter/SSEQTJ_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html

Thank you.

Regards

Shrikant J

Hi Elango,

In my httpd.conf file I don't have the 'SSLProtocolEnable TLSv12' line, I only have the 'SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11' line. When I run the './apache -DDUMP_SSL_CONFIG' command the output shows that only TLSv12 is enabled as expected.

I suggest that you try removing the 'SSLProtocolEnable TLSv12' line from your httpd.confi file, restart the IHS server and then run the apache command again to see if that makes a difference.


Tony Dezanet
HCL Connections Support