No, it is not via any configuration file change.
It is always the case that prior to processing any SSLCipherSpec directives, there is a default set of ciphers enabled. It is a subset of the ciphers supported by the GSKit security library.
In 8.5.5.24/9.0.5.15 (typo before) no RSA ciphers will be present in that initial default list. If the config happens to have explicit SSLCipherSpec directives that enable RSA KEX ciphers. they will continue to be used. See PH51473 (https://www.ibm.com/support/pages/apar/PH51473) for more detail including issues unique to IHS on zOS.
Original Message:
Sent: Wed April 05, 2023 12:16 AM
From: Ken Iida
Subject: About "Weak SSL/TLS Key Exchange"
Please tell me one more thing.
In 8.5.5.25/9.0.5.15 and later RSA ciphers are disabled by default.
By what method is it ? Is it written like that in the default httpd.conf?
------------------------------
Ken Iida
Ken.Iida@kyndryl.com
NagoyaJapan
Original Message:
Sent: Sun April 02, 2023 09:47 PM
From: Eric Covener
Subject: About "Weak SSL/TLS Key Exchange"
Assuming you have 8.5.5.19-8.5.5.23 or 9.0.5.7-9.0.5.14, I suggest removing any RSA ciphers you already have explicitly listed in httpd.conf, then setting "SSLCipherSpec -RSA" to remove the ones enabled by default. In 8.5.5.25/9.0.5.15 and later, there are no default RSA ciphers enabled anymore (except in some special case on zOS where cannot be sure ECDHE will work)
If your IHS is older than 8.5.5.19 or 9.0.5.7, there are more and more RSA ciphers that might be enabled by default the farther back you go.
You can see them all with apachectl -t -DDUMP_SSL_CONFIG
and remove them individually. with the syntax you showed.
------------------------------
Eric Covener
Original Message:
Sent: Sun April 02, 2023 09:39 PM
From: Ken Iida
Subject: About "Weak SSL/TLS Key Exchange"
Specifically, should I write the following and sequentially exclude the ciphers that I do not want to use?
SSLCipherSpec ALL -SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec ALL -SSL_RSA_WITH_RC4_128_SHA
・・・・・
------------------------------
Ken Iida
Ken.Iida@kyndryl.com
NagoyaJapan
Original Message:
Sent: Fri March 31, 2023 08:26 AM
From: Eric Covener
Subject: About "Weak SSL/TLS Key Exchange"
If you're scanning IHS, it's most likely complaining about RSA key exchange.
If you have relatively recent fix packs, you can disable RSA key exchange pretty easily in IHS by updating httpd.conf:
1.Remove SSLCipherSpec
directives that explicitly enable RSA key exchange ciphers (Ciphers that begin with TLS_RSA)
2. In fix packs 8.5.5.19-8.5.5.23 and 9.0.5.7-9.0.5.14 add SSLCipherSpec -RSA
to each virtual host with SSLEnable
If you are scanning WAS directly, it may be more complicated, as the weak key exchange could additionally refer to things like small DHE key sizes (which are dynamically generated). It is probably best to open a support case if it's a WAS scan result.
------------------------------
Eric Covener
Original Message:
Sent: Fri March 31, 2023 01:59 AM
From: Ken Iida
Subject: About "Weak SSL/TLS Key Exchange"
I operate some systems built using WebSphere Application Server and IBM HTTP Server.
When I tested these systems with security scans (For example , Qualys Scan etc..), I sometimes received indications like "Weak SSL/TLS Key Exchange port xxxx/tcp over SSL". In fact, I do not operate such a key exchange, but it seems that the system settings allow communication using weak encryption.
In order to avoid receiving these indications, I think it is necessary to add or change the setting values of WAS , IHS or both of them.
I have a question here.
Specifically, what part of WAS or HTTP should I change? Applying fix Pack? Changing parameters? (Which config file?)
I would like to improve the result of security scan test without affecting existing operations as much as possible. WAS , IHS versions are 8.5.5 - 9.0.5 .
Please teach me .
------------------------------
Ken Iida
Ken.Iida@kyndryl.com
NagoyaJapan
------------------------------