2017년 11월 23일 목요일

[TechNote] Enable SSLv3 설정 (v8.5.5.10 이후)

IBM은 문서가 잘 갖춰진 밴더 중 하나이나 너무 광범위하거나 여러 버전에 있어 잘 못된 정보를 가지고 일할때도 있는데, 동영상으로 명확히 가이드 해주는 내용을 찾으니 감사할 따름이다.
실력있는 엔지니어를 내쫓은 대신에 이런 거라도 있으니....














PI54960: PROVIDE PROPERTY TO SET JAVA SECURITY ALGORITHM RELATED PROPERTIES

Problem summary
****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *****************************************************************
* PROBLEM DESCRIPTION: The server needs a way to set java      *
*                      security properties                     *
*                      jdk.tls.disabledAlgorithms and         *
*                      jdk.certpath.disabledAlgorithms.       *****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere Application Server will setjdk.tls.disabledAlgorithms andjdk.certpath.disabledAlgorithms properties programmatically.Problem conclusionThe JRE has started disabling algorithms that are weak or areconsidered vulnerable.  The JRE disables these algorithms bysetting them on the jdk.tls.disabledAlgorithms andjdk.certpath.disabledAlgorithms Security properties in thejava.security file.  The jdk.tls.disabledAgorithms property isused to disable algorithms during TLS handshaking.  Thejdk.certpath.disabledAlgorithms is used to disable algorithmsduring certification path processing.   WebSphere does notmodify the java.security file in the service stream.   To  makesure the server is at the recommended level of securityWebSphere will be programmatically setting these properties.During server startup jdk.tls.disabledAlgorithms will be set toSSLv3, RC4, DH keySize < 768, MD5withRSA andjdk.certpath.disabledAlgorithms will be set to MD2, RSA keySize< 1024, MD5 programmatically.   And informational message willbe printed in the SystemOut.log file informing users whatWebSphere is setting them to.
There are 2 new WebSphere security custom properties that userscan use to either customize what is set by the Securityproperties or to tell WebSphere to not programmatically set theproperties at all.

1.  The com.ibm.websphere.tls.disabledAlgorithms security customproperty can either be used to tell WebSphere to set a customlist of algorithms to disable during TLS handshaking or if userdo not want WebSphere to programmatically set the java Securityproperty java.tls.disabledAlgorithms they can setcom.ibm.websphere.tls.disabledAlgorithms to none.2.  The com.ibm.websphere.certpath.disabledAlgorithms securitycustom property can either be used to tell WebSphere to set acustom list of algorithms to disable during certification pathprocessing or if user do not want WebSphere to programmaticallyset the java Security property java.certpath.disabledAlgorithmsthey can set com.ibm.websphere.certpath.disabledAlgorithms tonone.

To set a security custom property on the Admin Console go to:Security > Global security > Custom propertiesSelect New,  in the box labled Name addcom.ibm.websphere.tls.disabledAlgorithms orcom.ibm.websphere.certpath.disabledAlgorithms and in the boxlabeled Value enter either a comma separated list algorithms ornone if you don't want WebSphere to set the Security properties.Apply and  Save the changes.
The server will need to be restarted for the properties to takeeffect.

Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)


Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in IBM WebSphere Application Server. These fixes will disable SSLv3 completely.

Vulnerability Details

CVE ID: CVE-2014-3566
DESCRIPTION: IBM WebSphere Application could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions and releases of IBM WebSphere Application Server, IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile and IBM WebSphere Application Server Hypervisor Edition.

Remediation/Fixes

Please refer to the Security Bulletin for IBM HTTP Server to remediate your webserver.
Please note that these fixes will remove SSLv3 completely.
If you have SSL hard coded in your application code, such as SSLContext.getInstance("SSL") then you should install the interim fixes listed below since the current implementation defaults that context to SSLv3. The interim fix is an enhancement in the IBM JDK.
The following table lists some common standard protocol label names for Java 5 and above:
ProtocolPrior to this fixAfter this fix
SSLSSL v3.0see chart below
SSLv3SSL v3.0Connection will fail
TLSTLS v1.0 (defined in RFC 2246)TLS v1.0 (defined in RFC 2246)
TLSv1TLS v1.0 (defined in RFC 2246)TLS v1.0 (defined in RFC 2246)
TLSv1.1TLS v1.1 (defined in RFC 4346)TLS v1.1 (defined in RFC 4346) (not available for version 6.1)
TLSv1.2TLS v1.2 (defined in RFC 5246)TLS v1.2 (defined in RFC 5246) (not available for version 6.1)
SSL_TLSEnables all SSL V3.0 and TLS 1.0 protocolsTLS 1.0
SSL_TLSv2Enables all SSL V3.0 and TLS 1.0, 1.1 and 1.2 protocolsTLS 1.0, 1.1 and 1.2 protocols (not available for version 6.1 and for version 7.0 only available with fix pack 7.0.0.23 or later.)
The IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server will be updated per the chart below, so that SSL Protocol alias label of "SSL" would mean the TLS levels marked.
Java Version
TLS 1.0
TLS 1.1
TLS 1.2
Java 7 Server
x
x
x
Java 7 Client
x
Java 6
x
Java 5
x
The interim fixes will disable SSLv3 by default. If you need to re-enable SSLv3, then there is a new java system property to enable SSLv3 with the protocols listed above. Set the system property either statically or dynamically as described in the product documentation for the IBM SDK Java Technology Edition you are using or in the Setting generic JVM arguments technote Warning: Reenabling this will make you vulnerable to the POODLE attack. 

-Dcom.ibm.jsse2.disableSSLv3=false   


Second, update the Oracle system property jdk.tls.disabledAlgorithms by removing SSLv3 from the list. This property is defined in the java.security file and any protocols in this list will be disabled. You can modify the setting to remove SSLv3 or add further algorithms with the following syntax: 

For the IBM SDK, Java Technology Edition that is used by IBM WebSphere Application Server Full Profile: 
For Java 7 or Java 8:
  • Edit the java.security file and turn off SSLv3 by adding: jdk.tls.disabledAlgorithms=SSLv3

For the IBM SDK, Java Technology Edition or Oracle Java SDK, that is used by IBM WebSphere Application Server Liberty Profile:
  • Edit the java.security file and turn off SSLv3 by adding: jdk.tls.disabledAlgorithms=SSLv3

This security property has precedence over the IBM system property com.ibm.jsse2.disableSSLv3 
Please refer to the knowledge center for more information: http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/disablesslv3.html?lang=en

작성자: 시간:
라벨: , ,

댓글 없음:

댓글 쓰기

피드 구독하기: 댓글 (Atom)