× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. September 2013

Re: IBM i Apache SSL

Sean,

I think I am going to go with this for now:

SSLVersion TLSV1_SSLV3
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_RC4_128_SHA
SSLCipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA

It's not optimal, but gets an A report on the Qualsys website. It lists
some cautions due to client-initiated renegotiation, use of RC4 and lack
of forward secrecy. I am using RC4 for legacy purposes and think it is
secure enough in the real world for the time being. I think the BEAST
attack has been sufficiently mitigated client-side to not include it as
the first cipher with TLS 1.0. As for the other two, I don't think I can
configure client-initiated renegotiation in IBM's version of Apache, and
it doesn't look like forward secrecy has been implemented yet -- not sure
it is compatible with TLS 1.0 anyway. Not using MD5 because it is
supposedly insecure, though alright to use with TLS. Still learning this
stuff, so if anyone else has suggestions, please chime in.

Blake

------------------------------

date: Mon, 9 Sep 2013 22:42:12 -0400
from: "Porterfield, Sean" <SPorterfield@xxxxxxxxxxxxxxxxxxxxxxx>
subject: Re: [WEB400] IBM i Apache SSL

I see multiple choices in the HTTPAdmin interface as well as the ability
to customize. Have you tested the entries you would like to have based on
Apache documentation?

Ciphers available during negotiation: allows you to specify a cipher
specification used for the SSL connection. Each occurrence of this
directive will add the associated cipher spec to that context's existing
cipher suite list. The cipher spec is used on the SSL handshake, which
then uses the cipher suite list to negotiate the cipher used for
communications between the server and the client. The table allows you to
add, remove, and organize the cipher entries. There is a default set of
ciphers that are used system wide. These values can be used to override
the default set of ciphers, or the preferred cipher order. Directive:
SSLCipherSpec

I made some test changes and clicked preview to see the following lines
added (the + is the add and not part of the configuration):
+ SSLCipherSpec TLS_RSA_WITH_RC4_128_MD5
+ SSLCipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA
--
Sean Porterfield


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.