考虑到 POODLE 攻击,我想在部署在 IBM WebSphere 6 上的 Web 应用程序中禁用 SSLv3。有一些我无法解决的问题:
1. 如何在 WAS 6.0 和 6.1 中禁用 SSL 并启用 TLS?
2.当客户端在浏览器中点击我的应用程序的url,并且浏览器支持SSL,请求将使用SSL发起。由于 WAS 6 将禁用 SSL,最终用户是否会出现握手异常?
3. 是否需要更改应用程序配置或更改 Web 服务器属性会有帮助?
1 回答
You don't need to change anything in your application. There is already fixpack provided for latest WebSphere versions - check this page Vulnerability in SSLv3 affects IBM WebSphere Application Server
For V6.1.0.0 through 6.1.0.47:
- Apply Interim Fix PI28796 : Will upgrade you to IBM Java SDK Version 5.0 Service Refresh 16 Fix Pack 7 + APAR IV66111 for change to disable SSLv3 by default.
6.0 is soo old, that I don't remember if it even supports TLS. You will have to dig in the admin console somewhere in SSL settings (the exact path might be different) Security > SSL > SSL_configuration_name
and change the protocol to TLS.
If you access WebSphere via web server (Apache or IHS), then you need to disable SSLv3 on the web server instead of application server. For details see Vulnerability in SSLv3 affects IBM HTTP Server
Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable":
# Disable SSLv3 for CVE-2014-3566
# SSLv2 is disabled in V8R0 and later by default, and in typical V7
# and earlier configurations disabled implicitly when SSLv3 ciphers
# are configured with SSLCipherSpec.
SSLProtocolDisable SSLv3 SSLv2Stop and restart IHS for the changes to take affect.