Limiting IBM HTTP Server to encrypt at only 128 bits or higher
 Technote (troubleshooting)
 
Problem(Abstract)
Steps for limiting the IBM® HTTP Server to encrypt only at 128 bits or higher (168 bits).
 
Cause
For sensitive content, strong encryption might be required.
 
Resolving the problem
There are several methods of configuring IBM HTTP Server to restrict and limit SSL to allow only 128 bit browsers and/or 128,168 bit ciphers access to Web content.
  • 128 bit and 168 bit Ciphers

    SSLV2
    27
    SSL_DES_192_EDE3_CBC_WITH_MD5 Triple-DES (168 bit)
    21 SSL_RC4_128_WITH_MD5 RC4 (128 bit)
    23 SSL_RC2_CBC_128_CBC_WITH_MD5 RC2 (128 bit)

    SSLV3
    3A
    SSL_RSA_WITH_3DES_EDE_CBC_SHA Triple-DES SHA (168 bit)
    34 SSL_RSA_WITH_RC4_128_MD5 RC4 MD5 (128 bit)
    35 SSL_RSA_WITH_RC4_128_SHA RC4 SHA (128 bit)

    TLS (available in IBM HTTP Server 1.3.28 and 2.0.47 only!)
    2F TLS_RSA_WITH_AES_128_CBC_SHA AES SHA (128 bit)
    35b TLS_RSA_WITH_AES_256_CBC_SHA AES SHA (256 bit)

  • Allow 128 bit browsers access, while denying lower strength browsers (40 bit, 56 bit) from connecting to the Web server over SSL
    To do this, use SSLCipherSpec directives within the SSL VirtualHost stanza located in the httpd.conf file in the install_root/conf directory.

    Do not use this configuration if the Web site is enabled with a step-up certificate. For step-up to occur, the Web server must allow a lower-strength cipher to be passed initially from a 40 bit or 56 bit browser. The following configuration prevents the lower strength cipher from being passed successfully during the initial handshake.

    Listen 443

    <VirtualHost 9.27.172.128:443>
    ServerName www.mycompany.com
    DocumentRoot "C:/Program Files/IBM HTTP Server 2.0.42/htdocs"
    DirectoryIndex index.html
    SSLEnable
    SSLCipherSpec 27
    SSLCipherSpec 21
    SSLCipherSpec 23
    SSLCipherSpec 3A
    SSLCipherSpec 34
    SSLCipherSpec 35
    </VirtualHost>

    SSLDisable
    KeyFile "C:/Program Files/IBM HTTP Server 2.0.42/key.kdb"
    SSLV2Timeout 100
    SSLV3Timeout 1000

  • Allow all 40 bit, 56 bit and 128 bit browsers to connect, but limit access to specific DIRECTORY CONTENT to 128 bit and 168 bit ciphers
    To do this, use SSLCipherRequire directives within a Directory stanza located in the httpd.conf file in the install_root/conf directory.

    This configuration limits access to content in the following directory to browsers connected with a 128 bit or 168 bit cipher. If using a step-up certificate, the initial handshake from a 40 bit or 56 bit browser is allowed; however, the browser must step-up to a 128 bit or 168 bit cipher before being allowed to access the content in the specified directory.

    Listen 443

    <VirtualHost 9.27.172.128:443>
    ServerName www.mycompany.com
    DocumentRoot "C:/Program Files/IBM HTTP Server 2.0.42/htdocs"
    DirectoryIndex index.html
    SSLEnable
    <Directory "C:/Program Files/IBM HTTP Server 2.0.42/htdocs/mystuff">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
    SSLCipherRequire 27
    SSLCipherRequire 21
    SSLCipherRequire 23
    SSLCipherRequire 3A
    SSLCipherRequire 34
    SSLCipherRequire 35
    </Directory>
    </VirtualHost>

    SSLDisable
    KeyFile "C:/Program Files/IBM HTTP Server 2.0.42/key.kdb"
    SSLV2Timeout 100
    SSLV3Timeout 1000

  • Allow all 40 bit, 56 bit and 128 bit browsers to connect but limit access to specific URLs to 128 bit, 168 bit ciphers
    To do this, use SSLCipherRequire directives within a Location stanza located in the httpd.conf file in the install_root/conf directory.

    This configuration limits access to the /mystuff/resume.html URL to browsers connected with a 128 bit or 168 bit cipher. If using a step-up certificate, a 40 bit or 56 bit browser must step-up to a 128 bit or 168 bit cipher before being allowed to access the specified URL.

    Listen 443

    <VirtualHost 9.27.172.128:443>
    ServerName www.mycompany.com
    DocumentRoot "C:/Program Files/IBM HTTP Server 2.0.42/htdocs"
    DirectoryIndex index.html
    SSLEnable
    <Directory "C:/Program Files/IBM HTTP Server 2.0.42/htdocs/mystuff">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>
    <Location /mystuff/resume.html>
    SSLCipherRequire 27
    SSLCipherRequire 21
    SSLCipherRequire 23
    SSLCipherRequire 3A
    SSLCipherRequire 34
    SSLCipherRequire 35
    </Location>
    </VirtualHost>

    SSLDisable
    KeyFile "C:/Program Files/IBM HTTP Server 2.0.42/key.kdb"
    SSLV2Timeout 100
    SSLV3Timeout 1000

  • Related URL resources for enabling and configuring SSL within the IBM HTTP Server
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > SSL
Operating system(s): Windows
Software version: 6.0
Software edition:
Reference #: 1112074
IBM Group: Software Group
Modified date: Sep 15, 2004