APAR status
Closed as program error.
Error description
Cannot configure IHS response to unknown revocation status via OCSP.
Local fix
Not Available
Problem summary
**************************************************************** * USERS AFFECTED: Users of IBM HTTP Server with SSL Client * * authentication configured along with OCSP or CRL certificate * * revocation checking ('crl' parameter to SSLClientAuth, * * SSLOCSPEnable, or SSLOCSPResponderUrl). * **************************************************************** * PROBLEM DESCRIPTION: When the GSKit security library is * * configured to perform certificate revovaction checking, and * * it is unable to do so based on e.g. a communications error * * or an out-of-date response, it permits the SSL handshake to * * complete and records the unknown revocation status. * * IHS is not able to take any action based on that unknown * * revocation status. * **************************************************************** * RECOMMENDATION: If client auth and certificate revocation * * checking are enabled, and custom behavior in response to an * * unknown revocation status is desired, apply this fix. * **************************************************************** N/A to z/OS where only CRL is supported and CRL connection errors are fatal.
Problem conclusion
A directive has been added to IHS: SSLUnknownRevocationStatus Specifies how IBM HTTP Server will react when the revocation status (via CRL or OCSP) cannot be reliably determined. Syntax SSLUnknownRevocationStatus ignore | log | log_always | deny Scope Virtual host Default ignore Module mod_ibm_ssl ignore : A debug level message is issued when a handshake completes with unknown revocation status, but is not re-issued when the SSL Session is resumed. log : same as above but logged at NOTICE level. log_always : same as above, but the session is marked as non-resumable. Subsequent handshakes will report the same message. deny : same as above, but the SSL connection is immediately closed. Subsequent handshakes behave the same. The values of "log_always" and "deny" are highly discouraged due to the overhead of performing full SSL handshakes on subsequent connections. The value of "deny" is highly discouraged as any transient error contacting the certificate authorities will causes SSL clients to be unable to access IBM HTTP Server. This includes revocation data not being updated in a timely fashion, as these protocols contain a built-in expiration time. Whenever a message is logged for UnknownRevocationStatus, the SSL environment variable "SSL_UNKNOWNREVOCATION_SUBJECT" is set. This variable can be logged with the syntax %{SSL_UNKNOWNREVOCATION_SUBJECT}e or used in mod_rewrite expressions with %{ENV:SSL_UNKNOWNREVOCATION_SUBJECT} when the SSLUnknownRevocationStatus has any value other than deny. This fix is targeted for IHS fixpacks: - 6.0.2.39 - 6.1.0.29 - 7.0.0.7
Temporary fix
Comments
APAR Information
APAR number
PK93106
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2009-08-04
Closed date
2009-09-15
Last modified date
2009-09-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
MOD_IBM_ SSL
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60W PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
R61P PSN
UP
R61I PSN
UP
R61S PSN
UP
R61W PSN
UP
R61Z PSN
UP
R700 PSN
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0"}]
Document Information
Modified date:
07 September 2022