IBM recently published a security bulletin about an SSLv3 vulnerability called the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. This vulnerability could give a remote attacker plaintext access to what would otherwise be an encrypted SSL session.
SSLv3 is enabled by default on the IBM HTTP Server, so we recommend disabling SSL and using TLS exclusively for https. With the exception of IE6 on Windows XP, most of today’s browsers connect using TLSv1 by default. SSLv3 is really only in place for older browsers and compatibility but because it’s now vulnerable, IBM recommends switching that protocol off.
You can disable SSLv3 in the IBM HTTP Server via the system value QSSLPCL:
- Run this command on the command line:
CHGSYSVAL SYSVAL(QSSLPCL) VALUE(‘*TLSV1 *TLSV1.1 *TLSV1.2′)
This will disable SSLv2 and SSLv3 for the entire IBM i and push all SSL traffic to use TLS instead. For example, if you have Telnet SSL enabled, you won’t be able to access it with SSLv3 anymore.
You’ll have to restart Apache for the change to take place.
Alternately, you can disable SSLv2 and SSLv3 via the Digital Certificate Manager:
- Go into the Digital Certificate Manager.
- Head to the *SYSTEM store.
- Select “Manage Applications”.
- Select “Update application definition”.
- Find your application and click on “Update application”.
- You can then disable SSLv2 and SSLv3.
- You’ll need to restart your Apache instance for the setting to apply
Afterward, you can use OpenSSL to test your site to see if it’s still accepting SSLv2 or SSLv3. You can run OpenSSL (a licensed program) from QSH on the IBM i:
Run the following command:
openssl s_client -connect www.yoursite.com:443 -ssl3
You should receive a similar rejection for SSLv3:
1102:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:
And for SSLv2:
$ openssl s_client -connect www.yoursite.com:443 -ssl2
1108:error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher:
1108:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure: