0

We have a web server (IBM HTTP Server 6.1) connected using HTTPS (using SSL certificates - SSLv3) to an application server (IBM WebSphere Application Server 6.1), the application that is hosted on the app server is not upgradable, so we cannot update WebSphere on both layers to later versions.

I'm trying to enable TLS instead of SSLv3, the steps I followed:

  • On the web server's http.conf file, SSLv2 and SSLv3 and their cipher suites directives were removed, and TLS cipher suites were added (2F, 35b).
  • On the app server, QoP were changed to TLS (also tried TLSv1) instead of SSL_TLS, removed RC4 cipher suites by creating a customer list.

When opening the website URL from browser, Internal Server Error appears (means that the web is unable to communicate with the app server). When selecting the SSL_TLS again in the app server's QoP settings (keeping the SSLv2 and 3 disabled on the web server level), the website opens properly!

Is it possible the application is not compatible with TLS, pls advise?

Thank you.

Ayhamov
  • 1
  • 1
  • 2

1 Answers1

1

The WAS Plugin tries TLS1.0 by default in 6.1.0.31 and later. To debug whatever's going on with your system, you'll have to actually watch the handshake in a packet capture and that will tell you which side to focus on.

Running 6.1 is ill advised, but running 6.1 without the latest maintenance is borderline negligent.

covener
  • 17,402
  • 2
  • 31
  • 45
  • Hi, I just noticed that the WAS version is 6.1.0.47, while the IBM HTTP Server is 6.1.0.43, and Plugins on the web server version is 6.1.0.0. Should I upgrade the web server IHS, and try? Or it has nothing to do with this problem? – Ayhamov Dec 02 '15 at 05:32
  • And the error that appears in the WAS logs is: SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported. – Ayhamov Dec 02 '15 at 05:33
  • IHS upgrade not required to get tls, but still wise. Plugin upgrade required – covener Dec 02 '15 at 12:33
  • Success? Accept answer? – covener Dec 25 '15 at 21:15