Problem(Abstract)
Steps for limiting the IBM HTTP Server to encrypt only at 128 bits or higher (168 bits).Cause
For sensitive content, strong encryption might be required.
Resolving the problem
There are several methods of configuring IBM HTTP Server to restrict and limit SSL to allow only 128 bit browsers and/or 128,168 bit ciphers access to Web content.
- 128 bit and 168 bit Ciphers
SSLV2
27 SSL_DES_192_EDE3_CBC_WITH_MD5 Triple-DES (168 bit)
21 SSL_RC4_128_WITH_MD5 RC4 (128 bit)
23 SSL_RC2_CBC_128_CBC_WITH_MD5 RC2 (128 bit)
SSLV3
3A SSL_RSA_WITH_3DES_EDE_CBC_SHA Triple-DES SHA (168 bit)
34 SSL_RSA_WITH_RC4_128_MD5 RC4 MD5 (128 bit)
35 SSL_RSA_WITH_RC4_128_SHA RC4 SHA (128 bit)
TLS
2F TLS_RSA_WITH_AES_128_CBC_SHA AES SHA (128 bit)
35b TLS_RSA_WITH_AES_256_CBC_SHA AES SHA (256 bit)
- Allow 128 bit browsers access, while denying lower strength browsers (40 bit, 56 bit) from connecting to the Web server over SSLTo do this, use SSLCipherSpec directives within the SSL VirtualHost stanza located in the httpd.conf file in the install_root/conf directory.
Do not use this configuration if the Web site is enabled with a step-up certificate. For step-up to occur, the Web server must allow a lower-strength cipher to be passed initially from a 40 bit or 56 bit browser. The following configuration prevents the lower strength cipher from being passed successfully during the initial handshake.
Listen 443
<VirtualHost 9.27.172.128:443>
ServerName www.ihshost.com
DocumentRoot "C:/Program Files/IBM HTTP Server/htdocs"
DirectoryIndex index.html
SSLEnableSSLCipherSpec 27
SSLCipherSpec 21
SSLCipherSpec 23
SSLCipherSpec 3A
SSLCipherSpec 34
SSLCipherSpec 35</VirtualHost>
SSLDisable
KeyFile "C:/Program Files/IBM HTTP Server/key.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000 - Allow all 40 bit, 56 bit and 128 bit browsers to connect, but limit access to specific DIRECTORY CONTENT to 128 bit and 168 bit ciphersTo do this, use SSLCipherRequire directives within a Directory stanza located in the httpd.conf file in the install_root/conf directory.
This configuration limits access to content in the following directory to browsers connected with a 128 bit or 168 bit cipher. If using a step-up certificate, the initial handshake from a 40 bit or 56 bit browser is allowed; however, the browser must step-up to a 128 bit or 168 bit cipher before being allowed to access the content in the specified directory.
Listen 443
<VirtualHost 9.27.172.128:443>
ServerName www.ihshost.com
DocumentRoot "C:/Program Files/IBM HTTP Server/htdocs"
DirectoryIndex index.html
SSLEnable
<Directory "C:/Program Files/IBM HTTP Server/htdocs/mystuff">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from allSSLCipherRequire 27
SSLCipherRequire 21
SSLCipherRequire 23
SSLCipherRequire 3A
SSLCipherRequire 34
SSLCipherRequire 35</Directory>
</VirtualHost>
SSLDisable
KeyFile "C:/Program Files/IBM HTTP Server/key.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000 - Allow all 40 bit, 56 bit and 128 bit browsers to connect but limit access to specific URLs to 128 bit, 168 bit ciphersTo do this, useSSLCipherRequire directives within a Location stanza located in the httpd.conf file in the install_root/conf directory.
This configuration limits access to the /mystuff/resume.html URL to browsers connected with a 128 bit or 168 bit cipher. If using a step-up certificate, a 40 bit or 56 bit browser must step-up to a 128 bit or 168 bit cipher before being allowed to access the specified URL.
Listen 443
<VirtualHost 9.27.172.128:443>
ServerName www.ihshost.com
DocumentRoot "C:/Program Files/IBM HTTP Server/htdocs"
DirectoryIndex index.html
SSLEnable
<Directory "C:/Program Files/IBM HTTP Server/htdocs/mystuff">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Location /mystuff/resume.html>SSLCipherRequire 27
SSLCipherRequire 21
SSLCipherRequire 23
SSLCipherRequire 3A
SSLCipherRequire 34
SSLCipherRequire 35</Location>
</VirtualHost>
SSLDisable
KeyFile "C:/Program Files/IBM HTTP Server/key.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000 - For additional SSL information pertaining to the IBM HTTP Server, visit SSL FAQs
- Related URL resources for enabling and configuring SSL within the IBM HTTP Server
댓글 없음:
댓글 쓰기