IBM HTTP Server and Sweet32: Birthday attack (CVE-2016-2183)

In short, IBM HTTP Server supports 3DES by default but does not prefer 3DES by default.

By default, all in-service IBM HTTP Server releases use 3DES as a "last resort" cipher to be negotiated if no other ciphers are shared between client and server. This arrangement already complies with the recommendation from the security researchers behind CVE-2016-2183. 3DES is not preferred by IHS.

UPDATE: As of the following IBM HTTP Server fixpacks: 9.0.0.6, 8.5.5.13, 8.0.0.15 and 7.0.0.45, the 3DES ciphers will be removed from the default ciphers by PI84868 as a result of updated guidance regarding 3DES ciphers.

IBM HTTP Server does not limit the amount of data that can be transmitted over a 3DES TLS connection.

Action is required to make sure the IHS configuration has not been modified to prefer 3DES.

What do I need to do?

• Step 1: Review your IBM HTTP Server configuration files (httpd.conf) to determine if the default TLS cipher lists are being used.
  • For each SSLEnable directive, if there is no SSLCipherSpec in the same context, no action is required for Step 1 (3DES is not preferred by default and is not included in the defaults after the fixpacks containing PI84868)
  • If SSLCipherSpec is present, but not with a parameter of '3A', 'C008', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', or 'SSL_RSA_WITH_3DES_EDE_CBC_SHA', no action is required for Step 1 (3DES is not preferred).
  • If SSLCipherSpec has explicitly named one of the parameters above, then new guidance is that this statement should be removed. At a minimum, if it is not the last SSLCipherSpec in the configuration stanza, it should be moved so that it is is the last SSLCipherSpec in the stanza.

• Step 2: If you want to remove 3DES entirely (now recommended by researchers, but this may break very old clients)
  • Version 7 and earlier (and z/OS prior to 9.0.0.3, 8.5.5.12, and 8.0.0.14, and 7,0,0.43)
    • Remove all instances of SSLCipherSpec from the configuration file.
    • After each configurations stanza with SSLEnable, append the following two lines:
      • SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
        SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
  • Version 8 and later (excluding z/OS prior to 9.0.0.3, 8.5.5.12, and 8.0.0.14, and 7,0,0.43)
    • Remove '3A', 'C008', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', or 'SSL_RSA_WITH_3DES_EDE_CBC_SHA' from any existing SSLCipherSpec directive.
    • At the bottom of each configuration stanza with SSLEnable, append the following line:
      • SSLCipherSpec ALL -SSL_RSA_WITH_3DES_EDE_CBC_SHA -TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

• Step 3: If you want to leave 3DES enabled, but enable data transfer limits on 3DES:

  Append the following line to each configuration stanza with SSLEnable:

  • On Distributed only: Version 8.0.0.4 and later, Version 8.5.0.1 and later or Version 9.0.0.0 and later
    • SSLAttributeSet 463 1
    • The connection will be abruptly terminated around the 32 gigabyte mark.

In IBM HTTP Server Version 8.0 and newer PI47605 is required for the Microsoft Windows version, you can use the following commands to check what protocols and ciphers will be used for your configuration:

For non-Windows platforms: apachectl -t -DDUMP_SSL_CONFIG

For Windows platform: apache -t -DDUMP_SSL_CONFIG

Change History:

03 October 2016: original document published

08 March 2017: updated step 3 to include fixpack levels

19 September 2017: clarified platform specific information

21 December 2017: updated guidance concerning 3DES ciphers

23 January 2018: updated SSLcipherspec stanza

14 July 2021: Formatting and emphasize V7 vs. V8 options