Hello,

I am trying to help a customer with a very old WAS version 6.0.1.17 to enable HTTPS

I tried to follow all the intructions to enable SSL in IHS, Plugin and WAS. Customer requested their CA for a certificate, I added it to the key store, but I receive an SSL hanshake error in IHS without details even with debug mode in httpd.conf.

I suppose that probable the SSL Algorithms and ciphers used by this version are very old and do not comply with the new certificates generated by current CA.

Do anyone know how it is possible to add to WAS V6 the last ciphers and algorithms ?!

I know this is a not supported environment anymore, so I depend in the good will of some good soul. :-)

Is the error between client and IHS or IHS and the application server?

We have not retained FAQ's about SSL and relases as old as 6.1.  For example, it's possible SHA2 signature algorithms in certificate chains are not supported.

Hello,

I am trying to help a customer with a very old WAS version 6.0.1.17 to enable HTTPS

I tried to follow all the intructions to enable SSL in IHS, Plugin and WAS. Customer requested their CA for a certificate, I added it to the key store, but I receive an SSL hanshake error in IHS without details even with debug mode in httpd.conf.

I suppose that probable the SSL Algorithms and ciphers used by this version are very old and do not comply with the new certificates generated by current CA.

Do anyone know how it is possible to add to WAS V6 the last ciphers and algorithms ?!

I know this is a not supported environment anymore, so I depend in the good will of some good soul. :-)

Hello,

I am trying to help a customer with a very old WAS version 6.0.1.17 to enable HTTPS

I tried to follow all the intructions to enable SSL in IHS, Plugin and WAS. Customer requested their CA for a certificate, I added it to the key store, but I receive an SSL hanshake error in IHS without details even with debug mode in httpd.conf.

I suppose that probable the SSL Algorithms and ciphers used by this version are very old and do not comply with the new certificates generated by current CA.

Do anyone know how it is possible to add to WAS V6 the last ciphers and algorithms ?!

I know this is a not supported environment anymore, so I depend in the good will of some good soul. :-)

Hey Joao, try using the directive SSLCipherSpec  within your httpd.conf, and specify the necessary ( deprecated weak ) ciphers in it.

This wouldn't prevent your IHS from blocking the communication using old algorithms.

Thanks

Hello,

I am trying to help a customer with a very old WAS version 6.0.1.17 to enable HTTPS

I tried to follow all the intructions to enable SSL in IHS, Plugin and WAS. Customer requested their CA for a certificate, I added it to the key store, but I receive an SSL hanshake error in IHS without details even with debug mode in httpd.conf.

I suppose that probable the SSL Algorithms and ciphers used by this version are very old and do not comply with the new certificates generated by current CA.

Do anyone know how it is possible to add to WAS V6 the last ciphers and algorithms ?!

I know this is a not supported environment anymore, so I depend in the good will of some good soul. :-)

Thanks for your reply.

MeanwhileI did some more research and found out that updating the ciphers and algorithms is done when we update the IHS/WAS with a fixpack.

I enabled the trace in IHS and found out the ciphers that are enabled in IHS are:

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_DES_192_EDE3_CBC_WITH_MD5(27)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_RC4_128_WITH_MD5(21)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_RC2_CBC_128_CBC_WITH_MD5(23)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_DES_64_CBC_WITH_MD5(26)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5(24)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_RC4_128_EXPORT40_WITH_MD5(22)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA(35b)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: TLS_RSA_WITH_AES_128_CBC_SHA(2F)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_RC4_128_SHA(35)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_RC4_128_MD5(34)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA(62)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA(64)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_EXPORT_WITH_RC4_40_MD5(33)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5(36)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_DES_CBC_SHA(39)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_NULL_SHA(32)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_NULL_MD5(31)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_NULL_WITH_NULL_NULL(30)

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3314): Removing cipher SSL_RSA_WITH_NULL_SHA (32) from default SSLV3 list

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3314): Removing cipher SSL_RSA_WITH_NULL_MD5 (31) from default SSLV3 list

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3314): Removing cipher SSL_NULL_WITH_NULL_NULL (30) from default SSLV3 list

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3352): Using default SSLV3/TLSv1 ciphers

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3356): Using default SSLV2 ciphers

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl_config.c(733): Validating ciphers for server: edpgescprdap1, port: 443

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_DES_192_EDE3_CBC_WITH_MD5(27)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_RC4_128_WITH_MD5(21)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_RC2_CBC_128_CBC_WITH_MD5(23)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_DES_64_CBC_WITH_MD5(26)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5(24)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_RC4_128_EXPORT40_WITH_MD5(22)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA(35b)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: TLS_RSA_WITH_AES_128_CBC_SHA(2F)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_RC4_128_SHA(35)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_RC4_128_MD5(34)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA(62)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA(64)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_EXPORT_WITH_RC4_40_MD5(33)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5(36)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_DES_CBC_SHA(39)

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3738): SSL Protocol Info for edpgescprdap1:443, SSLV2 is enabled

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3742): SSL Protocol Info for edpgescprdap1:443, SSLV3 is enabled

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3746): SSL Protocol Info for edpgescprdap1:443, TLSV1 is enabled

And the error that appears repeatably in error.log is:

[Fri Dec 18 17:55:08 2020] [debug] [client 10.132.3.2] [b09ef8] SSL handshake initiated: 10.132.3.2 -> edpgescprdap1 443

[Fri Dec 18 17:55:08 2020] [debug] [client 10.132.3.3] [b09fe8] SSL handshake initiated: 10.132.3.3 -> edpgescprdap1 443

[Fri Dec 18 17:55:08 2020] [error] [client 10.132.3.2] [b09ef8] SSL0208E: SSL Handshake Failed, Certificate validation error.

[Fri Dec 18 17:55:08 2020] [error] [client 10.132.3.3] [b09fe8] SSL0208E: SSL Handshake Failed, Certificate validation error.

[Fri Dec 18 17:55:08 2020] [debug] [client 10.132.3.2] [b09ef8] gsk_secure_close rc [0]

So it seems that those two IP addresses (probable the load balancer) are the ones that try the handshake with IHS and returns the certificate validation error. Unfortunately the SSLTrace option do not give me the reason for this message. My understanding is that IHS says that the certificate that I added to the keystore is not valid. 

You say that SSLCipherSpec may help me to solve this issue. I can try it. What I understand of this parameter is that it will configure my IHS to allow the suage of deprecated weak ciphers, but I think that my problem is that the recently generated certificate that was added to the keystore uses some new strong cipher that do not exist in the IHS V6.0.2.15 used by customer, and because of that the IHS is not able to validate it.

What do you think about this?!

I have another plan, I am thinking in telling the customer that the above ciphers are the ones supported by their IHS, maybe if they create a certificate using one of this ciphers the problem disappears. What do you think ?

Of course, that I will explain them the risk of using weak ciphers and having such an old version of IHS and WAS and the other security vulnerabilities that this brings to them.

Hey Joao, try using the directive SSLCipherSpec  within your httpd.conf, and specify the necessary ( deprecated weak ) ciphers in it.

This wouldn't prevent your IHS from blocking the communication using old algorithms.

Thanks

Hello,

I am trying to help a customer with a very old WAS version 6.0.1.17 to enable HTTPS

I tried to follow all the intructions to enable SSL in IHS, Plugin and WAS. Customer requested their CA for a certificate, I added it to the key store, but I receive an SSL hanshake error in IHS without details even with debug mode in httpd.conf.

I suppose that probable the SSL Algorithms and ciphers used by this version are very old and do not comply with the new certificates generated by current CA.

Do anyone know how it is possible to add to WAS V6 the last ciphers and algorithms ?!

I know this is a not supported environment anymore, so I depend in the good will of some good soul. :-)

The error is related to the server validating its own certificate, so changing TLS ciphers or protocols should have no affect.

The certiicate key types, signature algorithms, and certificate extensions have almost no connection to the ciphers negotiated at runtime.  The only exception is that all ciphers supported in IHS 6.0/6.1 require RSA key exchange so certificates with non-RSA  (ECDSA) keys could never work.  But that error would look quite different.

Ultimately the problem here is a certificate generated in 2020 not being understood by software from 2006. It is not too surprising.

IHS 6.0/6.1 are not fit for any purpose in 2020.  

------------------------------
Eric Covener

Original Message:
Sent: Mon December 21, 2020 09:40 AM
From: Joao Alexandre
Subject: SSL WebSphere V6

Thanks for your reply.

MeanwhileI did some more research and found out that updating the ciphers and algorithms is done when we update the IHS/WAS with a fixpack.

I enabled the trace in IHS and found out the ciphers that are enabled in IHS are:

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_DES_192_EDE3_CBC_WITH_MD5(27)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_RC4_128_WITH_MD5(21)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_RC2_CBC_128_CBC_WITH_MD5(23)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_DES_64_CBC_WITH_MD5(26)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5(24)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 2 Cipher: SSL_RC4_128_EXPORT40_WITH_MD5(22)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA(35b)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: TLS_RSA_WITH_AES_128_CBC_SHA(2F)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_RC4_128_SHA(35)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_RC4_128_MD5(34)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA(62)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA(64)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_EXPORT_WITH_RC4_40_MD5(33)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5(36)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_DES_CBC_SHA(39)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_NULL_SHA(32)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_RSA_WITH_NULL_MD5(31)

[Fri Dec 18 17:55:08 2020] [info] SSL support provided for Version 3 Cipher: SSL_NULL_WITH_NULL_NULL(30)

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3314): Removing cipher SSL_RSA_WITH_NULL_SHA (32) from default SSLV3 list

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3314): Removing cipher SSL_RSA_WITH_NULL_MD5 (31) from default SSLV3 list

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3314): Removing cipher SSL_NULL_WITH_NULL_NULL (30) from default SSLV3 list

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3352): Using default SSLV3/TLSv1 ciphers

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3356): Using default SSLV2 ciphers

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl_config.c(733): Validating ciphers for server: edpgescprdap1, port: 443

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_DES_192_EDE3_CBC_WITH_MD5(27)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_RC4_128_WITH_MD5(21)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_RC2_CBC_128_CBC_WITH_MD5(23)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_DES_64_CBC_WITH_MD5(26)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5(24)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 2 Cipher: SSL_RC4_128_EXPORT40_WITH_MD5(22)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA(35b)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: TLS_RSA_WITH_AES_128_CBC_SHA(2F)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_RC4_128_SHA(35)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_RC4_128_MD5(34)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA(62)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA(64)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_EXPORT_WITH_RC4_40_MD5(33)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5(36)

[Fri Dec 18 17:55:08 2020] [info] SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_DES_CBC_SHA(39)

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3738): SSL Protocol Info for edpgescprdap1:443, SSLV2 is enabled

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3742): SSL Protocol Info for edpgescprdap1:443, SSLV3 is enabled

[Fri Dec 18 17:55:08 2020] [debug] mod_ibm_ssl.c(3746): SSL Protocol Info for edpgescprdap1:443, TLSV1 is enabled

And the error that appears repeatably in error.log is:

[Fri Dec 18 17:55:08 2020] [debug] [client 10.132.3.2] [b09ef8] SSL handshake initiated: 10.132.3.2 -> edpgescprdap1 443

[Fri Dec 18 17:55:08 2020] [debug] [client 10.132.3.3] [b09fe8] SSL handshake initiated: 10.132.3.3 -> edpgescprdap1 443

[Fri Dec 18 17:55:08 2020] [error] [client 10.132.3.2] [b09ef8] SSL0208E: SSL Handshake Failed, Certificate validation error.

[Fri Dec 18 17:55:08 2020] [error] [client 10.132.3.3] [b09fe8] SSL0208E: SSL Handshake Failed, Certificate validation error.

[Fri Dec 18 17:55:08 2020] [debug] [client 10.132.3.2] [b09ef8] gsk_secure_close rc [0]

So it seems that those two IP addresses (probable the load balancer) are the ones that try the handshake with IHS and returns the certificate validation error. Unfortunately the SSLTrace option do not give me the reason for this message. My understanding is that IHS says that the certificate that I added to the keystore is not valid. 

You say that SSLCipherSpec may help me to solve this issue. I can try it. What I understand of this parameter is that it will configure my IHS to allow the suage of deprecated weak ciphers, but I think that my problem is that the recently generated certificate that was added to the keystore uses some new strong cipher that do not exist in the IHS V6.0.2.15 used by customer, and because of that the IHS is not able to validate it.

What do you think about this?!

I have another plan, I am thinking in telling the customer that the above ciphers are the ones supported by their IHS, maybe if they create a certificate using one of this ciphers the problem disappears. What do you think ?

Of course, that I will explain them the risk of using weak ciphers and having such an old version of IHS and WAS and the other security vulnerabilities that this brings to them.

Hey Joao, try using the directive SSLCipherSpec  within your httpd.conf, and specify the necessary ( deprecated weak ) ciphers in it.

This wouldn't prevent your IHS from blocking the communication using old algorithms.

Thanks

Hello,

I am trying to help a customer with a very old WAS version 6.0.1.17 to enable HTTPS

I tried to follow all the intructions to enable SSL in IHS, Plugin and WAS. Customer requested their CA for a certificate, I added it to the key store, but I receive an SSL hanshake error in IHS without details even with debug mode in httpd.conf.

I suppose that probable the SSL Algorithms and ciphers used by this version are very old and do not comply with the new certificates generated by current CA.

Do anyone know how it is possible to add to WAS V6 the last ciphers and algorithms ?!

I know this is a not supported environment anymore, so I depend in the good will of some good soul. :-)