IBM Support

PI78696: SSL handshake failure between IHS/Proxy to backend IHS/Plugin

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • SSL connection failure betweeen IBM HTTP Server(IHS)/Proxy to
    backend IHS/Plugin resulting in error like:
    
    SSL0266E: Handshake Failed, Could not establish SSL
    proxy connection. GSKit error 414: GSK_ERROR_BAD_CERT
    SSL0234W:SSL Handshake Failed, The certificate sent by the peer
    has expired or is invalid.
    Certificate validation error during handshake, last
    PKIX/RFC3280 certificate validation error was
    GSKVAL_ERROR_CA_MISSING_CRITICAL_BASIC_CONSTRAINT
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IHS 9.0 with proxy to backend      *
    *                  IHS/Plugin                                  *
    ****************************************************************
    * PROBLEM DESCRIPTION: SSL handshake failure between           *
    *                      IHS/Proxy to backend IHS/Plugin         *
    ****************************************************************
    * RECOMMENDATION:  Apply this iFix if using IBM HTTP Server    *
    *                  with the described configuration.           *
    ****************************************************************
    Outbound SSLProxyEngine connections did not obey the default
    value of 'SSLAllowLegacyCerts ON' that was originally
    introduced in PI69979.
    

Problem conclusion

  • Updates were made to resolve this problem by respecting the
    default value of 'SSLAllowLegacyCerts ON'.
    
    This fix is targeted for IBM HTTP Server fix packs:
    - 9.0.0.4
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI78696

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-03-23

  • Closed date

    2017-05-16

  • Last modified date

    2017-05-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022