Wednesday, 23 August 2017

IBM HTTP Server and HTTP Strict Transport Security (HSTS)

I was asked about this earlier today.

IBM HTTP Server (IHS), being based upon Apache, can do most whatever Apache itself can do.

This means that HTTP Strict Transport Security (HSTS) *can* be enabled in IHS.

I followed this blog post: -


and I can see the header being set: -

 


This is what I did in httpd.conf : -

Disabled HTTP

#Listen 8080

Enabled SSL and enforced TLS 1.2

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 8443
<VirtualHost *:8443>
        SSLProtocolEnable TLSv12
        SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
        SSLEnable
</VirtualHost>
KeyFile /opt/ibm/HTTPServer/ODM/ssl/keystore.kdb
SSLDisable

Added in mod_headers

LoadModule headers_module modules/mod_headers.so

Added in the appropriate HSTS header - using two years as an example expiration period ( 2 * 365 days * 24 hours * 60 minutes * 60 seconds )

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

giving me this: -

LoadModule headers_module modules/mod_headers.so
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 8443
<VirtualHost *:8443>
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
        SSLProtocolEnable TLSv12
        SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
        SSLEnable
</VirtualHost>
KeyFile /opt/ibm/HTTPServer/ODM/ssl/keystore.kdb
SSLDisable

with the configuration being validated using wget : -

wget --no-check-certificate https://odm.uk.ibm.com:8443/index.html --server-response

--2017-08-23 10:48:31--  https://odm.uk.ibm.com:8443/index.html
Resolving odm.uk.ibm.com (odm.uk.ibm.com)... fe80::20c:29ff:fe9a:9e56, 192.168.153.133
Connecting to odm.uk.ibm.com (odm.uk.ibm.com)|fe80::20c:29ff:fe9a:9e56|:8443... connected.
WARNING: cannot verify odm.uk.ibm.com's certificate, issued by '/CN=odm.uk.ibm.com':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Wed, 23 Aug 2017 09:48:31 GMT
  Strict-Transport-Security: max-age=63072000; includeSubdomains;
  Last-Modified: Mon, 31 Oct 2016 10:10:36 GMT
  ETag: "da5-540266b425f00"
  Accept-Ranges: bytes
  Content-Length: 3493
  Keep-Alive: timeout=10, max=100
  Connection: Keep-Alive
  Content-Type: text/html
Length: 3493 (3.4K) [text/html]
Saving to: 'index.html'

100%[================================================================================================================================================================>] 3,493       --.-K/s   in 0s      

2017-08-23 10:48:31 (357 MB/s) - 'index.html'saved [3493/3493]

and apachectl : -

/opt/ibm/HTTPServer/bin/apachectl -DDUMP_SSL_CONFIG -f /opt/ibm/HTTPServer/ODM/conf/httpd.conf

 

SSL configuration:
Default server
Server name: odm.uk.ibm.com:8080
SSL enabled: NO

SSL server defined at: /opt/ibm/HTTPServer/ODM/conf/httpd.conf:852
Server name: odm.uk.ibm.com:8443
SSL enabled: YES
FIPS enabled: 0
Keyfile: /opt/ibm/HTTPServer/ODM/ssl/keystore.kdb
Protocols enabled: TLSv12
Ciphers for SSLV2: (protocol disabled)
Ciphers for SSLV3: (protocol disabled)
Ciphers for TLSv10: (protocol disabled)
Ciphers for TLSv11: (protocol disabled)
Ciphers for TLSv12: (defaults) TLS_RSA_WITH_AES_128_GCM_SHA256(9C),TLS_RSA_WITH_AES_256_GCM_SHA384(9D),TLS_RSA_WITH_AES_128_CBC_SHA256(3C),TLS_RSA_WITH_AES_256_CBC_SHA256(3D),TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)

Syntax OK

Hope this helps.

No comments: