IBM Support

Enable TLSOnly to avoid the POODLE attack in WebSphere EDGE Caching proxy Version 7.

Question & Answer


Question

What are the directives introduced to enable only TLS without enabling SSLV3 in caching proxy OR how to change the configuration to block the POODLE attack.

Cause

Earlier, CP did not have provision to enable just TLS without enabling SSLV3.

Answer

Details about the 7.0.0.15 fix which is the complete fix for POODLE vulnerability

List of directives introduced with their default values.

1. TLSOnly - Values can be set to On or Off. Default is on.
2. TLSCBCPadding - Values can be set to On or Off. Default is on.

Steps to enable the fix.
1. This fix would work only if the customer has a GSKit version of 7.0.4.45 or above.
2. Add the following directives in the config file "SSLEnable on", "TLSOnly on", "TLSCBCPadding on", "TLSV1Enable on". By default the TLSOnly and TLSCBCPadding are set to on. Hence if the customer intends to enable SSLV2 or SSLV3 along with TLSV10, the customer will have to set "TLSOnly off" and specify the "SSLVersion" directive (which is set to all by default).
3. The customer will have to specifically define a value for V3CipherSpecs directive without which the proxy might fail to start. This is because, when SSLV3 is used, V3CipherSpecs will be set to a default value based on the location (US or outside) by the GSKit. Since SSLV3 and TLSV10 use same cipher specs, this value will not be loaded by GSKit when SSLV3 is disabled (In case of "TLSOnly ON"). Hence there needs to be a value specified for V3CipherSpecs for TLSV10 to use when TLSOnly is set to on (which is the default case).
4. By default TLSCBCPadding is set to on and this helps in handling the extension of POODLE vulnerability (CVE-2014-8730). The suggested value for this is on as well.

Please note that caching proxy version 7 uses GSKit 7 which has support only for TLSV10. Hence there is no provision to specify or allow TLSV11 and TLSV12 in CP version7. This is allowed only in V8 and above versions of caching proxy as it uses GSKit8 which has the support for the entire range of TLS.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Edge Component","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
15 June 2018

UID

swg21693757