We have a web server (IBM HTTP Server 6.1) connected using HTTPS (using SSL certificates - SSLv3) to an application server (IBM WebSphere Application Server 6.1), the application that is hosted on the app server is not upgradable, so we cannot update WebSphere on both layers to later versions.
I'm trying to enable TLS instead of SSLv3, the steps I followed:
- On the web server's http.conf file, SSLv2 and SSLv3 and their cipher suites directives were removed, and TLS cipher suites were added (2F, 35b).
- On the app server, QoP were changed to TLS (also tried TLSv1) instead of SSL_TLS, removed RC4 cipher suites by creating a customer list.
When opening the website URL from browser, Internal Server Error appears (means that the web is unable to communicate with the app server). When selecting the SSL_TLS again in the app server's QoP settings (keeping the SSLv2 and 3 disabled on the web server level), the website opens properly!
Is it possible the application is not compatible with TLS, pls advise?
Thank you.
The WAS Plugin tries TLS1.0 by default in 6.1.0.31 and later. To debug whatever's going on with your system, you'll have to actually watch the handshake in a packet capture and that will tell you which side to focus on.
Running 6.1 is ill advised, but running 6.1 without the latest maintenance is borderline negligent.