POODLE in the repeat

POODLE in the repeat

Lately we have heard a lot of POODLE I have already blogged about it twice here and here at ibmconnections.com. But there is much more to tell about it so that the reason I am creating this article.

Nowadays when we talk about POODLE we have to specify which one (to make things easier 🙂 ). Nowadays we have POODLE SSLv3 and POODLE TLS. The one we call POODLE SSLv3 bites IBM Connections the most but POODLE TLS is easier to exploit. So for environments which are connected to the internet I advise you to be sure that both variants of POODLE are not exploitable at your implementation.

I will try to describe both variants in detail and how it/they can be solved. Lets first start with POODLE SSL v3

POODLE SSLv3

The news about this first POODLE exploit was brought to the world as a major problem while in fact the problem wasn’t that big if you ask me. The problem itself was there where still site’s out there who did support SSLv3. SSLv3 has shown in the past that it isn’t sufficient anymore as a secure protocol. I will try to describe why I think it wasn’t really such big news as it was brought by all news agencies. Normally when a clients connect to a server the clients tells the server the highest secure protocol it supports (this is what is generally is called  the ClientHello package). Within this ClientHello package the clients also send also all cipher suites (these cipher suites are the real data encryption packages) it supports for that version of SSL/TLS. The server then responds with 3 things ServerHello and Certificate and ServerHelloDone messages. Within the ServerHello message the server will send the protocol it is gonna use. This is decided on the protocol version send in the ClientHello message and the highest version the server supports. So for the real world (which is kind of dependent on browser behavior and version) this means in general that TLS1.2 is used. But with the POODLE SSLv3 bug if both parties supported SSLv3 it was possible by the attacking code to force the connection down from TLS1.2 to SSLv3 (with all the intermediate protocols because you can always fall back only one version at a time). So when this happens a user would still see it has a secure connection but it is over SSLv3 (and not the most sucre possible way between server and client as they bot did support TLSv1.2). The cipher suites used in SSLv3 are all general seen as insecure (only RC4 seems to be the most secure one) and fairly easy to decrypt unintentionally. So as you can see POODLE SSLv3 wasn’t the real problem if you ask me ! but that the server (and or client) still supported SSLv3 was the real problem :-). I added a screenshot to show how that traffic flows between the client and the server so you have and idea what happens on the network to build a SSL/TLS connection.

dFU6e

With IBM Connections we always had to enable the HTTP server with SSLv3 because the code within IBM Connections was still making use of SSLv3 calls to itself. The reason for that is that in the code they made use for example with code like this SSLContext.getInstance(“SSL”). Within the IBM JDK JSSE interface this SSL Keyword translated to make use of SSLv3. This was basically a combination of 2 problems , one that they still used a bit of outdated code within IBM Connections binaries , and also of the JSSE implementation in the IBM JDK that the keyword SSL still translated to make use of SSLv3. As said and stated by me, SSLV3 shouldn’t be used already for many years if you ask me 🙂

Well for IBM Connections we have a solution now (luckily) I will talk about that a bit later in the article.

POODLE TLS

The original attacking method of POODLE was made so that they made use of the padding bytes. Within SSLv3 nobody (wel thats a assumption) did a check on those padding bytes. Within the TLS specification it is specified to check on those padding bytes but most of the implementations out there didn’t do that (which makes the officially incompatible with the TLS’s RFC’s but okay 🙂 ) . So that makes TLS connections which make use of CBC cipher’s also vulnerable when they don’t check those padding bytes (and the funny thing about this is that most of the devs creating these encrypting/decrypting libararies still used the old functions/implementations within their code base which didn’t check those padding bytes). The IBM HTTP Server (IHS) which makes use of gskit for the data encrypting/decrypting part functionality of the SSL/TLS implementation where the rest of the world makes use of OpenSSL. So in the case of the IBM World we need to make sure if the CBC encrypting/decrypting routine checks on those padding bytes. Well I can tell you that older version of those gskit didn’t do that and are vulnerable to those POODLE on TLS attacks also.

But also for that there is a solution where I talk about a bit later in this article.

Solution POODLE SSLv3

Well as explained above there are 2 ways how this could have been solved. IBM did choose to fix it on the IBM JDK side instead of the original problem, the code itself. To solve it on the IBM JDK side we have to install a Interim Fix on top of WebSphere which updates the IBM JDK so that the SSL Keyword doesn’t force a SSLv3 connection anymore but a TLS connection. For the different IBM Connections version I will list the Interim Fixes needed.

For IBM Connections 3.0.1 and 3.0.1.1 and 4 you have to apply iFix PI28934
For IBM Connections 4.5 you have to apply PI29575
For IBM Connections 5.0 you have to apply PI28920 or PI28437

The strange thing is that for IBM Connections 5 (which is running on WebSphere 8.5.5.x) we have 2 iFixes available. Personally I have tried to use PI28920 and couldn’t get that iFix to work but I got some reaction from IBM Connections community (for instance from Klaus Bild) that they where able to use to iFix to get SSLv3 switched off. I personally have used PI28437 several times now with success. PI28437 (SDK6 (J9 2.6) SR8 FP1) also installs a newer version of the JAVA SDK then the PI28920 (SDK6 (J9 2.6) SR7 FP1) so my advice is to make use of the PI28437 iFix instead of the PI28920

After you have installed this iFix you can safely disable SSLv3 on your IHS (IBM HTTP Server). This can be done with the SSLProtocolDisable SSLv3 in your vHost configuration part of the config file(default httpd.conf) for your IHS.

Solution POODLE TLS

As described above also the gskit implementation has some problems regarding the checking of the padding bytes. To tell the gskit implementation that we want a strict checking on those padding bytes we have to add the following setting
SSLAttributeSet 471 1 to the config file (default httpd.conf) to all VHOST sections which have SSLEnable in them. This setting can only be applied to the following IHS versions.

  • 7.0.0.33 or later
  • 8.0.0.9 or later
  • 8.5.5.2 or later

For other release version which can not be upgraded, for whatever reason, to the above specified versions you can install any of the following iFixes as what I understood from this technote to make use of this SSLAttributeSet 471 1 setting.

  • PI17025
  • PI05309
  • PI08502
  • PI09443
  • PI13422
  • PI19700
  • PI26894

So I hope this makes everthing a bit more clear in the POODLE jungle out there 🙂

If you have any addition to this story please let me know so I will update the article.

Greenhouse now running IBM Connections 5.0

This was a pleasant surprise this morning:

Greenhouse at Connections 5.0

Yes, the IBM Greenhouse has been upgraded to IBM Connections 5.0.0.0.

New features including External Collaboration (which isn’t strictly relevant to the Greenhouse), improvements to Files and file-sync (using the new mobile apps and desktop plugins), plus significant significant enhancements to the activity stream and @mentions should all now be visible on the community test/demo platform.

Check it out!

PS. As the Greenhouse was already running the NextGen theme there aren’t too many changes visually…

PPS. The Greenhouse has over 100,000 members… Pretty amazing:

IBM Greenhouse members

IBM Connections 5.0 has shipped! Here’s what you need to download…

connections_bulletAs promised by Luis Benitez at Social Connections VI in Prague, IBM Connections 5.0 shipped on Thursday 26th June 2014.  Congratulations to all the team for getting it out of the door on schedule!

On that day, it became available for download from Passport Advantage (for customers with an entitlement to install it, plus current maintenance) and Partnerworld (for partners that have purchased either the Value Package or Software Access Option).  Through trial and error on Partnerworld, the best search string I’ve found is “ibm connections v5.0”. This gets  matched to “IBM Connections V5.0 for IBM Connections Suite V5.0 Multiplatform Multilingual eAssembly” – however, cancel that and just let the search operate on the string you’ve added.  These are the eAssemblies that come back:

IBM Connections 5.0 eAssemblies

(If you are searching through Passport Advantage, you will only see the eAssemblies you are entitled to download).

In most situations you will need:

IBM Connections V5.0 Multiplatform Multilingual eAssembly (CRS4IML)

IBM Connections 5.0 eAssembly

This includes the following images:

IBM Connections V5.0 Quick Start Guide for AIX, Windows, Linux, IBMi Multilingual (CIYQ4ML) – 1Mb
IBM Connections V5.0 for Windows Multilingual (CIYQ5ML) – 1,495Mb
IBM Connections V5.0 for AIX Multilingual (CIYQ6ML) – 1,613Mb
IBM Connections V5.0 for Linux Multilingual (CIYQ7ML) – 1,576Mb
IBM Connections V5.0 Linux for System z Multilingual (CIYQ8ML) – 1,520Mb
IBM Connections V5.0 Wizard for Windows Multilingual (CIYQ9ML) – 338Mb
IBM Connections V5.0 Wizard for Linux, AIX Multilingual (CIYR0ML) – 560Mb
IBM Connections V5.0 Cognos Wizard for Windows Multilingual (CIYR3ML) – 1,579Mb
IBM Connections V5.0 Cognos Wizard for AIX Multilingual (CIYR4ML) – 1,200Mb
IBM Connections V5.0 Cognos Wizard for Linux Multilingual (CIYR6ML) – 1,039Mb
IBM Connections V5.0 Cognos Wizard for System z Multilingual (CIYR5ML) – 951Mb

As usual with IBM Connections downloads, this eAssembly contains the bare minimum of downloads for each server type – though as you can see, the “bare minimum” is 3.3GB+ for Windows for example!

To be able to install IBM Connections 5.0, you’ll also need these elements as discussed in the System Requirements document:

Sadly there is no eAssembly that contains all of these component parts (at least on Partnerworld) for those that are solely licensed for Connections (and not Connections Suite or Domino for example) so you’ll need to seek them out individually. For the two most common platforms (Windows and Linux 64), here are the part numbers:

Windows 64-bit:

IBM DB2 Enterprise Server Edition V10.1 for Windows on AMD64 and EM64T systems (x64) Multilingual (CI6WEML) – 933Mb (if using DB2)
IBM DB2 10.1 Enterprise Server Edition – Restricted Use Quick Start and Activation Multiplatform Multilingual (CI71NML)– 2Mb (ditto)
IBM WebSphere Application Server Network Deployment V8.5.5 (1 of 3) for Multiplatform Multilingual (CIK2HML) – 1,005Mb
IBM WebSphere Application Server Network Deployment V8.5.5 (2 of 3) for Multiplatform Multilingual (CIK2IML) – 975Mb
IBM WebSphere Application Server Network Deployment V8.5.5 (3 of 3) for Multiplatform Multilingual (CIK2JML) – 860Mb
IBM WebSphere Application Server Network Deployment V8.5.5-Liberty Profile Multiplatform, Multilingual (CIMU2ML) – 107Mb
IBM WebSphere Application Server V8.5.5 Supplements (1 of 3) for Multiplatform Multilingual (CIK1VML) – 931Mb
IBM WebSphere Application Server V8.5.5 Supplements (2 of 3) for Multiplatform Multilingual (CIK1WML) – 1,007Mb
IBM WebSphere Application Server V8.5.5 Supplements (3 of 3) for Multiplatform Multilingual (CIK1XML) – 952Mb
IBM Tivoli Directory Integrator Identity Edition V7.1 for Windows x86-64, Multilingual (CZ9MKML) – 521Mb

Linux 64-bit:

IBM DB2 Enterprise Server Edition V10.1 for Linux on AMD64 and Intel® EM64T systems (x64) Multilingual (CI6W6ML) – 1,188Mb (if using DB2)
IBM DB2 10.1 Enterprise Server Edition – Restricted Use Quick Start and Activation Multiplatform Multilingual (CI71NML)– 2Mb (ditto)
IBM WebSphere Application Server Network Deployment V8.5.5 (1 of 3) for Multiplatform Multilingual (CIK2HML) 
– 1,005Mb
IBM WebSphere Application Server Network Deployment V8.5.5 (2 of 3) for Multiplatform Multilingual (CIK2IML) – 975Mb
IBM WebSphere Application Server Network Deployment V8.5.5 (3 of 3) for Multiplatform Multilingual (CIK2JML) – 860Mb
IBM WebSphere Application Server Network Deployment V8.5.5-Liberty Profile Multiplatform, Multilingual (CIMU2ML) – 107Mb
IBM WebSphere Application Server V8.5.5 Supplements (1 of 3) for Multiplatform Multilingual (CIK1VML) – 931Mb
IBM WebSphere Application Server V8.5.5 Supplements (2 of 3) for Multiplatform Multilingual (CIK1WML) – 1,007Mb
IBM WebSphere Application Server V8.5.5 Supplements (3 of 3) for Multiplatform Multilingual (CIK1XML) – 952Mb
IBM Tivoli Directory Integrator Identity Edition V7.1.1 for Linux – x86-64, Multilingual (CZUF3ML) – 554Mb

Depending on your installation infrastructure, you may also need downloads for:

IBM Forms Experience Builder v8.5.0.1 (various)
EditLive! v5.0 for Connections Multiplatform Multilingual (CIZP3ML) – 15Mb
IBM Data Server Client V10.1 (various)
IBM Data Server Runtime Client V10.1 (various)
IBM DB2 Support Files for SSL Functionality V10.1 (various)
IBM Tivoli Directory Server 6.3 (various)
IBM DMZ Secure Proxy Server (1 of 2) (WebSphere Application Server Network Deployment V8.5.5) Multiplatform Multilingual (CIK2LML) – 888Mb
IBM DMZ Secure Proxy Server (2 of 2) (WebSphere Application Server Network Deployment V8.5.5) Multiplatform Multilingual (CIK2MML) – 818Mb
IBM WebSphere Edge Components: Load Balancer for IPv4 and IPv6 (for WebSphere Application Server Network Deployment V8.5.5) Multiplatform Multilingual (CIK2NML) – 1,559Mb
IBM Cognos Business Intelligence  (various)

As a tip, if you do have other entitlements in Passport Advantage or else have access to the entire Partnerworld Software Access catalog, then searching for the ‘IBM Connections V5.0 for Notes and Domino V9.0.1 Multiplatform Multilingual eAssembly (CRSU5ML)‘ eAssembly is probably your best bet as this contains 57 images including all of the key elements I’ve listed above:

IBM Connections 5.0 for Domino eAssembly

Once you’ve selected the images you need, kick off the download.  My advice is always to download directly to one of the servers you’ll be installing onto if possible, particularly if they are remote to your location.

It’s important to note that this is not the entire list of software you’ll need.  I haven’t covered mandatory fixes for the components listed above (e.g. WebSphere Application Server 8.5.5.1 or Tivoli Directory Integrator 7.1.1) or fixes for Connections itself.  I’ll be posting details of these later today.

[Also, please note that IBM Connections for IBM i is not currently available for download.  Speaking to Luis, it is ‘in the works’ :-)]

If you’re in the process of downloading and installing Connections 5.0, please do leave a comment letting us know how you’re getting on – particularly if there are any packages that I’ve missed!

IBM Connections 5.0 documentation now online

With the upgrade to Connections 5.0, IBM has switched from the Wiki style of documentation repository to the ‘Knowledge Center’, which is a much improved form of the old Infocenter format.

IBM Knowledge Center

I really like this shift – whilst it was initially great to be able to update the Wiki form of the documentation in-place, after a time very few people did this, and they were very tricky to search and navigate. The new Knowledge Center seems a much more accessible and searchable solution.

So if you’re looking to upgrade to IBM Connections 5.0, here’s the documentation you need!