2

I have an IBM AIX machine running IBM HTTP Server version 8.5.5.0 which was recently configured to use TLS 1.2. Per corporate policy my server is supposed to use TLS 1.2, but for compatibility purposes we also have TLS 1.1 enabled. Testing with OpenSSL using openssl s_client -connect ihs8server.example.com:443 -tls1_2 reveals that the server is accepting TLS 1.2 connections properly. However, when I connect from my browser (Firefox ESR 38.7.0), the connection security information dialog says I got a TLS 1.1 connection.

Is there any way to configure IBM HTTP Server (or Apache for that matter, since IHS is very similar) to default to TLS 1.2 but allow the option of connecting over TLS 1.1 in case a client does not support it?

RAKK
  • 151
  • 1
  • 8

2 Answers2

3

In Apache...

You can remove the protocols you do not want to support.

SSLProtocol all -SSLv2 -SSLv3

You can create Ciphers based on your preference and set the system to follow it/negotiate in that order.

SSLHonorCipherOrder     on

Here's a good SSL Cipher generator that always up to date with the latest Ciphers. From Mozilla.

jarvis
  • 2,006
  • 4
  • 18
  • 31
  • as noted by @Jarvis, placing ciphers requiring TLS 1.2 early in the `SSLCipherSuite` list and setting `SSLHonorCipherOrder on` will cause clients supporting TLS 1.2 to use it, but allow those not supporting it to connect using TLS 1.1 ciphers placed later – Colt May 01 '16 at 14:12
0

IBM uses it's own mod_ibm_ssl, which is not 100% compatible with apache and openssl. So you need to add SSLCipherSpec in specific order.

Check slide 30 of this slide deck: https://www.slideshare.net/mobile/ChristophStoettner/sutol16-ibm-connections-deployment-best-practices?qid=954c5951-3d33-41ca-862c-33db5174feaf&v=&b=&from_search=1

stoeps
  • 9
  • 1