IBM Support

PH20613: SSL0232W WITH SSLFIPSENABLE

A fix is available

9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • SSL0232W with SSLFIPSEnable

Secure communication fails between Firefox and Chrome
browsers and IHS 9.0.5.2 with TLS 1.3 enabled.  Present with
SSLFIPSEnable and TLSv1.3

Local fix

  • n/a

Problem summary

  • ****************************************************************
* USERS AFFECTED:  All users of IBM HTTP Server with           *
*                  "SSLFIPSEnable" in the configuration. Not   *
*                  applicable to z/OS.                         *
****************************************************************
* PROBLEM DESCRIPTION: After applying 9.0.5.2, SSL             *
*                      connections from browsers fail with     *
*                      error "SSL0232W".                       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When SSLFIPSEnable is present, clients that prefer a
specific
TLS elliptic curve group (x25519) will fail to handshake.
The reason x25519 doesn't work with SSLFIPSEnable is that no
FIPS-certified implmentation is currently available in IHS,
and SSLFIPSEnable by default uses both FIPS-compliant
protocols and FIPS-certified implementations.
A 2nd defect prevented IHS from negotiating a mutually
supported curve in this scenario.

Problem conclusion

  • The code was updated to remove x25519 and x448 from the
curves supported on the server when SSLFIPSEnable is
present.

In the future, when x25519 implementation in IHS is
certified, the removal will be reverted.

The fix for this APAR is targeted for inclusion in IBM HTTP
Server fix packs 9.0.5.3  For more information,
see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?
rs=180&uid=swg27004980

Temporary fix

Comments

  • 



APAR Information




    

  • APAR number
    PH20613
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-01-03
    • 

  • Closed date
    2020-02-05
    • 

  • Last modified date
    2020-02-05
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SERVER
    • 

  • Fixed component ID
    5724J0801
    • 



Applicable component levels


    

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 September 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback