Information Technology

Wednesday, June 18, 2014

What is Heartbleed ?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Reference URL's :-
http://heartbleed.com/
https://filippo.io/Heartbleed/
http://pastebin.com/WmxzjkXJ

Heartbleed Bug: Assessment Guide by CISCO

Saturday, July 2, 2011

Disable sslv2 and weak ciphers for IHS 6

The methods for disabling specific SSL cipher suites vary based on the web server and the underlying operating systems. Microsoft Internet Information Services (IIS):- by editing windows registry, and Apache 2 - by using mod_ssl directives.

When an SSL connection is established, the client (Web browser) and the Web server negotiate the cipher to use for the connection. The Web server has an ordered list of ciphers, and the first cipher in that list which is supported by the client will be selected.

Threat:

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. SSL encryption ciphers are classified based on encryption key length as follows:

HIGH - key length larger than 128 bits

MEDIUM - key length equal to 128 bits

LOW - key length smaller than 128 bits

Messages encrypted with LOW encryption ciphers are easy to decrypt.

Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security.

Solution: Disable support for LOW encryption ciphers.
Apache Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Solution: Change the list of ciphers supported, and add SSLProtocoLDisable SSLv2.

The following configuration directs the server to prefer strong 128-bit RC4 ciphers first and will provide a significant performance improvement over the default configuration.

This configuration does not support the weaker 40-bit, 56-bit, or NULL/Plaintext ciphers that security scanners might complain about.

The order of the SSLCipherSpec directives dictates the priority of the ciphers, so we order them in a way that will cause IBM HTTP Server to prefer less CPU intensive ciphers.

we can verify the same with the ssldigger utility.

download link - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx

Refere the sample httpd.conf (Tested with IHS-6.1)

---Sample httpd.conf-----congigurations starts----
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443

<VirtualHost YourServer:443>
ServerName YourServer
DocumentRoot "D:\IBM\HTTPServer\htdocs\en_US"
SSLEnable
Keyfile "D:\IBM\HTTPServer\ssl\temp\test_cert.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000

## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2. Excluding it in the
## presence of the SSLv3 configuration above disables
## SSLv2 support.

## SSLv2 128 bit Ciphers
SSLCipherSpec SSL_RC4_128_WITH_MD5
SSLCipherSpec SSL_RC4_128_WITH_SHA

## SSLv2 168 bit 3DES cipher
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
</VirtualHost>
SSLDisable

---httpd.conf-----congigurations ends----

once the httpd configurations are doen same can be tested by using tool THCSSLCheck.exe
pls find the attached Result files for before the configurations and after the remediations for ihs 6.1

The httpd.conf file is configured correctly with the strong ciphers and weak SSLv2 ciphers are disabled:
The below config will disable SSLv2 ciphers
<VirtualHost *:443>
SSLEnable

## Set strong ciphers
SSLCipherSpec 3A
SSLCipherSpec 34
SSLCipherSpec 35

</VirtualHost>
Attached is the Result file after enabling the strong ciphers as mentioned above

THCSSLCheck v0.1Sample logs for IBM IHS 6 for default configurations
THCSSLCheck v0.1Sample logs for IBM IHS 6 after securing web server
THCSSLCheck v0.1Sample logs for IBM IHS 6 after securing web server as per the config mentioned above

Wednesday, May 18, 2011

IHS SSL Configurations 6.1

IHS SSL Configurations 6.1 using IBM Key Management Utility

Start Key Management Utility
Create New key database along with password protections as shown in below screens

4 files will be created

1) test_cert.kdb
2) test_cert.crl
3) test_cert.rdb
4) test_cert.sth

Now Create / generate a Certificate Request

Select Personal Certificate Request and Click New Request and get the Certificate from Authorized CA and Complete the Server Certificate Request using ikeyman utility.

Step:-1) Personal Certificate Request ( Create CSR )
Step:-2) Signer Certificates ( Get CSR signed by Authorized CA and import Root CA)
Step:-3) Personal Certificates ( Import the Certificate received from CA )

imp note:-> All the signer Certificates must exists in the Key Database before completing the Certificate Request.

httpd modifications

#Enable or Load below module
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

Listen 443

ServerName mytestserver.com
DocumentRoot "D:\IBM\HTTPServer\htdocs\en_US"
SSLEnable
Keyfile "D:\IBM\HTTPServer\ssl\temp\test_cert.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000

SSLDisable

Restart Http Services and Check https://mytestserver.com/

Pages