IBM HTTP Server and Sweet32:Birthday attack in TLS. (CVE-2016-2183)
CVE-2016-2183 describes a confidentiality leak when Triple-DES (3DES) 64-bit block cipher is negotiated and used to transmit hundreds of gigabytes of information. Your IBM HTTP Server (IHS) needs to be evaluated to see if you are affected.
How is IBM HTTP Server affected?
In short, IBM HTTP Server supports 3DES by default but does not prefer 3DES by default.
By default, all in-service IBM HTTP Server releases use 3DES as a "last resort" cipher to be negotiated if no other ciphers are shared between client and server. This arrangement already complies with the recommendation from the security researchers behind CVE-2016-2183. 3DES is not preferred by IHS.
UPDATE: As of the following IBM HTTP Server fixpacks: 18.104.22.168, 22.214.171.124, 126.96.36.199 and 188.8.131.52, the 3DES ciphers will be removed from the default ciphers by PI84868 as a result of updated guidance regarding 3DES ciphers.
IBM HTTP Server does not limit the amount of data that can be transmitted over a 3DES TLS connection.
Action is required to make sure the IHS configuration has not been modified to prefer 3DES.
What do I need to do?
- Step 1: Review your IBM HTTP Server configuration files (httpd.conf) to determine if the default TLS cipher lists are being used.
- For each SSLEnable directive, if there is no SSLCipherSpec in the same context, no action is required for Step 1 (3DES is not preferred by default and is not included in the defaults after the fixpacks containing PI84868)
- If SSLCipherSpec is present, but not with a parameter of '3A', 'C008', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', or 'SSL_RSA_WITH_3DES_EDE_CBC_SHA', no action is required for Step 1 (3DES is not preferred).
- If SSLCipherSpec has explicitly named one of the parameters above, then new guidance is that this statement should be removed. At a minimum, if it is not the last SSLCipherSpec in the configuration stanza, it should be moved so that it is is the last SSLCipherSpec in the stanza.
- Step 2: If you want to remove 3DES entirely (now recommended by researchers, but this may break very old clients)
- Version 7 and earlier (and z/OS prior to 184.108.40.206, 220.127.116.11, and 18.104.22.168, and 7,0,0.43)
- Remove all instances of SSLCipherSpec from the configuration file.
- After each configurations stanza with SSLEnable, append the following two lines:
- Version 8 and later (excluding z/OS prior to 22.214.171.124, 126.96.36.199, and 188.8.131.52, and 7,0,0.43)
- Remove '3A', 'C008', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', or 'SSL_RSA_WITH_3DES_EDE_CBC_SHA' from any existing SSLCipherSpec directive.
- At the bottom of each configuration stanza with SSLEnable, append the following line:
SSLCipherSpec ALL -SSL_RSA_WITH_3DES_EDE_CBC_SHA -TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- Step 3: If you want to leave 3DES enabled, but enable data transfer limits on 3DES:
- On Distributed only: Version 184.108.40.206 and later, Version 220.127.116.11 and later or Version 18.104.22.168 and later
Append the following line to each configuration stanza with SSLEnable:
SSLAttributeSet 463 1
The connection will be abruptly terminated around the 32 gigabyte mark.
In IBM HTTP Server Version 8.0 and newer PI47605 is required for the Microsoft Windows version, you can use the following commands to check what protocols and ciphers will be used for your configuration:
For non-Windows platforms: apachectl -t -DDUMP_SSL_CONFIG
For Windows platform: apache -t -DDUMP_SSL_CONFIG
03 October 2016: original document published
08 March 2017: updated step 3 to include fixpack levels
19 September 2017: clarified platform specific information
21 December 2017: updated guidance concerning 3DES ciphers
23 January 2018: updated SSLcipherspec stanza
15 June 2018