Connections administrator enabled SSL module on IBM HTTP Server following Knowledge center article by
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so:
NSFOCUS scan report indicate server had CVE-2011-1473 vulnerabilities.
Connections 5.5 CR3
IBM HTTP Server & Websphere Application Server 18.104.22.168
Redhat Linux 7.2
1. Get httpd.conf from <IHS>/conf/ folder
2. Determine IHS version
mod_ibm_ssl.so is NOT OpenSSL library, therefore it's not affected by CVE-2011-1473 security vulnerabilities.
If the NSFOCUS tool determines whether server is vulnerable by reading the handshake information between client
and Websphere Application Server. e.g:
C:\OpenSSL-Win32\bin>openssl s_client -connect conn6.win.com:8881
depth=1 C = US, O = IBM, OU = CellManager01, OU = Cell01, OU = Root
CN = conn6.win.com
verify error:num=19:self signed certificate in certificate chain
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
SSL handshake has read 2657 bytes and written 374 bytes
Verification error: self signed certificate in certificate chain
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
In the shakehand information above, “Secure Renegotiation IS supported” does not represent "SSL Renegotiation" is allowed on server.
With original information provided by Websphere support:
The IHS Server Hello is going to show the renegotiation_info extension which is needed for renegotiation support/enablement.
This only shows that we support it.
It does not mean we will allow the renegotiation.
We need to broadcast this secure renegotiation indicator even though we do not accept renegotiation to protect against a type of MITM attack.
So OpenSSL is just checking for the presence of the field, but not that we actually allow a renegotiation.
IHS服务器在握手时显示支持重新协商扩展（renegotiation_info）,这只表明 IHS 支持它。
这并不意味着 IHS 将允许重新协商。
根据规范，为了防止中间人攻击，即使 IHS 不允许重新协商，IHS 也需要表明对重新协商的支持。
所以 OpenSSL 如果仅通过检查该字段标记，就会误以为 IHS 允许重新协商。
In fact, In IBM HTTP Server for WebSphere Application Server Version 8.5, SSLRenegotiation had been disabled by default.
Unless admin specified "SSLRenegotiation on" in httpd.conf, it's not enabled so server is not vulnerable as CVE-2011-1473.
Please check following page for more details: