Topic
  • 9 replies
  • Latest Post - ‏2013-10-17T15:57:35Z by Eric Covener
YannickBergeron
YannickBergeron
4 Posts

Pinned topic IHS 8 powered by Apache 2.2.x ?

‏2011-12-15T20:51:09Z |
Hi,

I'm trying to find this information: On which Apache version is IHS 8 based on?
We want to use Named Based Virtual Hosts with SSL and we've found that it's not easily possible until Apache 2.2.12
IHS 7 being powered by Apache 2.2.8, one of the only way to do it is by adding multiple network interface to the system.
IHS 8 might be able to do it easier if it's based on Apache 2.2.12 or more recent.

Best regards,
Updated on 2011-12-16T20:58:21Z at 2011-12-16T20:58:21Z by YannickBergeron
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2011-12-16T01:23:26Z  
    For SSL it doesn't matter, since IHS does not use mod_ssl.

    IHS does not support SNI or any other way to use multiple certificates with a single IP/port combination.
  • YannickBergeron
    YannickBergeron
    4 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2011-12-16T14:46:52Z  
    interesting, so the only solution would be multiple network interface?
    and fyi, v8 still seems to be based on 2.2.8
    Server version: IBM_HTTP_Server/8.0.0.1 (Win32)
    Apache version: 2.2.8 (with additional fixes)
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2011-12-16T20:17:12Z  
    interesting, so the only solution would be multiple network interface?
    and fyi, v8 still seems to be based on 2.2.8
    Server version: IBM_HTTP_Server/8.0.0.1 (Win32)
    Apache version: 2.2.8 (with additional fixes)
    It depends on the requirements.

    If you can use a single certificate that applies to many domains (there are a multiple ways to accomplish this -- wildcards, SubjectAltName extensions) then you can use name-based vhosts with SSL by configuring SSL handshake-related info in the default name-based vhost for a set of vhosts

    If you just want to do a "few" non name-based, you can use multiple ports or multiple network interfaces.

    You also may wish to open a marketing/requirement for SNI support in IHS.
  • YannickBergeron
    YannickBergeron
    4 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2011-12-16T20:58:21Z  
    It depends on the requirements.

    If you can use a single certificate that applies to many domains (there are a multiple ways to accomplish this -- wildcards, SubjectAltName extensions) then you can use name-based vhosts with SSL by configuring SSL handshake-related info in the default name-based vhost for a set of vhosts

    If you just want to do a "few" non name-based, you can use multiple ports or multiple network interfaces.

    You also may wish to open a marketing/requirement for SNI support in IHS.
    It kinda hurts my feeling when I see that IHS is the only web server listed on wikipedia that does not support SNI, even if we know there is probably many more not supporting it
    http://en.wikipedia.org/wiki/Server_Name_Indication

    I probably don't have the ROI to request such enhancement but it would be great if it could be added.
    I suppose it's not easy to request an enhancement so if anyone have a procedure on how to proceed, I could try to fill this it on free time.
    Best regards,
  • PetrH
    PetrH
    16 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2013-10-15T10:55:55Z  
    It kinda hurts my feeling when I see that IHS is the only web server listed on wikipedia that does not support SNI, even if we know there is probably many more not supporting it
    http://en.wikipedia.org/wiki/Server_Name_Indication

    I probably don't have the ROI to request such enhancement but it would be great if it could be added.
    I suppose it's not easy to request an enhancement so if anyone have a procedure on how to proceed, I could try to fill this it on free time.
    Best regards,

    I know it's quite old topic, however I was recently dealing with the SNI requirement as well and found this open RFE for that:

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=34954

    So please whoever searches for IBM HTTP Server + SNI and founds this thread, vote for the above RFE.

  • Sunit
    Sunit
    206 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2013-10-15T14:15:08Z  
    • PetrH
    • ‏2013-10-15T10:55:55Z

    I know it's quite old topic, however I was recently dealing with the SNI requirement as well and found this open RFE for that:

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=34954

    So please whoever searches for IBM HTTP Server + SNI and founds this thread, vote for the above RFE.

    SSL functionality in all IBM products is provided by GSKit. I have seen references that some TLS extensions from RFC 6066 which deals with SNI are implemented in V 8.0.14. You might want to open a PMR with IBM asking for this information. A cursory search on Google for IBM and RCF6066 returns results that indicate that this might be available.

    You might want to try it out on a test box.

    --Sunit

    Updated on 2013-10-15T14:18:25Z at 2013-10-15T14:18:25Z by Sunit
  • Eric Covener
    Eric Covener
    138 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2013-10-16T01:51:38Z  
    • Sunit
    • ‏2013-10-15T14:15:08Z

    SSL functionality in all IBM products is provided by GSKit. I have seen references that some TLS extensions from RFC 6066 which deals with SNI are implemented in V 8.0.14. You might want to open a PMR with IBM asking for this information. A cursory search on Google for IBM and RCF6066 returns results that indicate that this might be available.

    You might want to try it out on a test box.

    --Sunit

    For both OpenSSL and GSKit, SNI requires support in the server, not just the security library.

    It's not supported in IHS.

  • PetrH
    PetrH
    16 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2013-10-17T15:36:36Z  

    For both OpenSSL and GSKit, SNI requires support in the server, not just the security library.

    It's not supported in IHS.

    Eric, and how about support for the AES-NI instructions in IHS (GSKit)? I haven't found anything about that so it's probably not implemented as well. However is it at least being considered for the nearest future?

    AFAIK it's only supported in IBM Java, where it can be controlled via property com.ibm.crypto.provider.doAESInHardware

    EDIT: Actually GSKit is mentioned in the following Intel AES-NI support document, however I haven't found anything about it in the IBM documentation at all. Perhaps it's silently enabled whenever the availability of these instructions is detected?

    http://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/aes-ni-ecosystem-update.pdf

    Updated on 2013-10-17T15:41:25Z at 2013-10-17T15:41:25Z by PetrH
  • Eric Covener
    Eric Covener
    138 Posts

    Re: IHS 8 powered by Apache 2.2.x ?

    ‏2013-10-17T15:57:35Z  
    • PetrH
    • ‏2013-10-17T15:36:36Z

    Eric, and how about support for the AES-NI instructions in IHS (GSKit)? I haven't found anything about that so it's probably not implemented as well. However is it at least being considered for the nearest future?

    AFAIK it's only supported in IBM Java, where it can be controlled via property com.ibm.crypto.provider.doAESInHardware

    EDIT: Actually GSKit is mentioned in the following Intel AES-NI support document, however I haven't found anything about it in the IBM documentation at all. Perhaps it's silently enabled whenever the availability of these instructions is detected?

    http://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/aes-ni-ecosystem-update.pdf

    Coincidentally, the IHS team drove that requirement into GSKit (and servername extension requirement, but didn't get around to exploiting it), and I did the performance testing on it.

    AES-SNI is in fact enabled whenever the CPU instruction/capability/whatever is detected.

    However, it's only in the "non FIPS ICC" low level crypto library in GSKit. To use this library, export ICC_IGNORE_FIPS=true in $IHSROOT/bin/envvars

    This only applies to V8R0 and later.

    (The low level crypto where improvements like this go is locked in to a FIPS certified version, and ICC_IGNORE_FIPS opts you into the non-certified, but more actively developed, low level crypto library)

     

    I've added this to the ssl_questions.html FAQ in ihsdiag, but have not yet published it.