Protocol and Cipher changes in IIB and WMB
Protocol and Cipher changes in IIB and WMB are mentioned in below link for reference. SSL and various Ciphers are disabled in Websphere Message broker and IBM Integration Bus due to multiple security vulnerabilities.
While I was working on one of the security concern raised by customer, I got to see lot of links in IBM support portal stating about Security vulnerabilities and also change in SSL protocol configuration in v9.0.0.6.
IBM Technote link: http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27047062
Below are the changes for Protocol and Ciphers as stated in the technote,
1. SSLv3
SSLv3 is disabled by default for all inbound and outbound connections, apart from ODBC database access, because SSLv3 is no longer considered secure due to the POODLE vulnerability.
2. RC4 Cipher Suites
The affected RC4 cipher suites were not enabled by default for inbound and outbound secure connections, apart from ODBC database access. Users will only be affected by this change if they have explicitly configured an allowed cipher list which includes one of the affected ciphers sites which are now disabled.
3. Diffie-Hellman (DH)
All DH and DHE cipher suites apart from ECDH and ECDHE ones are effected by this change. If a client or server used for inbound or outbound connections attempts to use a keysize of less than 768 bits then the connection will terminate. Users are recommended to update all remote clients or servers to use keysizes greater than 768 bits.
4. SLOTH
As a result of the SLOTH vulnerability the cryptographic hash algorithm MD5 is no longer considered secure and it is disabled by default for all uses apart from ODBC database access. Any certificate that is signed with MD5 and any cipher suite used during TLS handshaking which tries to use MD5withRSA is not accepted.
Below table for reference that contain details about the versions where the changes are made (or disabled).
I will be writing another blog entry on how the SSLv3 can be updated in IBM Integration Bus v9.