Login to ibm admin console
1. Go to Security > SSL certificate and key management > SSL configurations
2. The collection of all SSL configurations is listed. For each SSL configuration in the list the SSL protocol will need to be modified to use TLS.
3. Select an SSL Configuration then click Quality of protection (QoP) settings under Additional Properties on the right.
4. On the Quality of protection (QoP) settings panel, select TLS form the pull down list in the box labeled Protocol.
5. Apply/Save.
6. Restart application server
NOTE: The Protocol label SSL_TLS will not disable SSLv3. This means protocol supports SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. So select TLS, TLSv1, TLSv1.1 or TLSv1.2 only.
How to check if SSLv3 is disabled:
1. Install Openssl on windows machine (http://gnuwin32.sourceforge.net/packages/openssl.htm)
2. In command prompt run the below commands
openssl s_client -connect <machine_name>:<ssl_port> -ssl3
You will see some error something like below
3.Loading 'screen' into random state - done
CONNECTED(00000170)
7468:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:./ssl/s3_pkt.c:530:
4. If SSLv3 is enabled, and you run the same command. You will see an output something like below
Loading 'screen' into random state - done
CONNECTED(00000170)
Server certificate
-----BEGIN CERTIFICATE-----
DKFLDSJFSDKLJFSDAKLJFDKL
----END CERTIFICATE-----
No client certificate CA names sent
---
SSL handshake has read 628 bytes and written 206 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: <>
Session-ID-ctx:
Master-Key: <>
Key-Arg : None
Start Time: <TIME DURATION>
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
1. Go to Security > SSL certificate and key management > SSL configurations
2. The collection of all SSL configurations is listed. For each SSL configuration in the list the SSL protocol will need to be modified to use TLS.
3. Select an SSL Configuration then click Quality of protection (QoP) settings under Additional Properties on the right.
4. On the Quality of protection (QoP) settings panel, select TLS form the pull down list in the box labeled Protocol.
5. Apply/Save.
6. Restart application server
NOTE: The Protocol label SSL_TLS will not disable SSLv3. This means protocol supports SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. So select TLS, TLSv1, TLSv1.1 or TLSv1.2 only.
How to check if SSLv3 is disabled:
1. Install Openssl on windows machine (http://gnuwin32.sourceforge.net/packages/openssl.htm)
2. In command prompt run the below commands
openssl s_client -connect <machine_name>:<ssl_port> -ssl3
You will see some error something like below
Loading 'screen' into random state - done
CONNECTED(00000170)
7468:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:./ssl/s3_pkt.c:530:
CONNECTED(00000170)
7468:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:./ssl/s3_pkt.c:530:
4. If SSLv3 is enabled, and you run the same command. You will see an output something like below
Loading 'screen' into random state - done
CONNECTED(00000170)
Server certificate
-----BEGIN CERTIFICATE-----
DKFLDSJFSDKLJFSDAKLJFDKL
----END CERTIFICATE-----
No client certificate CA names sent
---
SSL handshake has read 628 bytes and written 206 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: <>
Session-ID-ctx:
Master-Key: <>
Key-Arg : None
Start Time: <TIME DURATION>
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
No comments:
Post a Comment