IBM Support

IHS and OpenSSL

Question & Answer


Question

How is IBM® HTTP Server (IHS) related to Open SSL?

Answer

On Apache HTTP Server, the SSL functionality is achieved using the module "mod_ssl" which is part of Open SSL. Even though the IBM HTTP Server is based on Apache, it does not use "mod_ssl" for SSL, but rather ships it's own Gskit implementation which interfaces with a module named "mod_ibm_ssl".


A vulnerabilty in OpenSSL or mod_ssl may or may not apply to IBM HTTP Server for a variety of reasons. Consult IHS recommended updates and bulletins for full details.

For any relevant security issues with IHS, users are encouraged to apply the latest IBM HTTP Server fix pack levels to ensure the web server is patched with latest security fixes.


Display of included Apache HTTP Server vulnerability fixes

The -V option of the httpd.exe command (Windows®) or the apachectl command (UNIX® and Linux®) will list the CVE ids of included vulnerability fixes in the server itself, but it will not list vulnerabilities from the GSKit TLS security library, where most OpennSSL-related vulnerabilities will be addressed.

Example:



C:\Program Files\IBM\HTTPServer\bin>apache -V
Server version: IBM_HTTP_Server/9.0.0.0-PI56034 (Win32)
Apache version: 2.4.12 (with additional fixes)
Server built:   Apr 18 2016 20:28:53
Build level:    RIHSX.IHS/webIHS1616.01
Server's Module Magic Number: 20120211:57
Server loaded:  APR 1.5.1, APR-UTIL 1.5.2
Compiled using: APR 1.5.1, APR-UTIL 1.5.2
Architecture:   32-bit
Operating System: Windows
Server MPM:     WinNT
  threaded:     yes (fixed thread count)
    forked:     no
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/apache"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error.log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
Apache vulnerability fixes included:
  CVE-2009-1191  CVE-2009-1890  CVE-2009-3094  CVE-2009-3095
  CVE-2010-0434  CVE-2010-0425  CVE-2010-0408  CVE-2009-3555
  CVE-2010-1452  CVE-2010-1623  CVE-2011-3368  CVE-2011-3607
  CVE-2011-3192  CVE-2011-3348  CVE-2011-4317  CVE-2012-0021
  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883  CVE-2012-2687
  CVE-2012-3502  CVE-2012-4558  CVE-2012-3499  CVE-2013-2249
  CVE-2013-1896  CVE-2013-4352  CVE-2013-6438  CVE-2014-0098
  CVE-2014-0963  CVE-2014-0231  CVE-2014-0118  CVE-2014-0226
  CVE-2014-3523  CVE-2014-0117  CVE-2013-5704  CVE-2014-8109
  CVE-2014-3581  CVE-2014-3583  CVE-2015-0253  CVE-2015-3185
  CVE-2015-3183  CVE-2015-1829  CVE-2014-8730  CVE-2015-0228
  CVE-2015-4947  CVE-2015-1283  CVE-2015-7420  CVE-2016-0201

This list does not necessarily include vulnerabilities which do not apply to IBM HTTP Server on any platform, such as mod_ssl vulnerabilities. 
It does not necessarily include vulnerabilities already fixed in the base level of Apache included in IBM HTTP Server.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.5;8.0;7.0;6.1","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 December 2019

UID

swg21383959

Page Feedback