IBM Support

PH39992: TLSV13 FAILURES ON Z/LINUX

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • TLSv13 failures on z/Linux

Local fix

  • Add to httpd.conf after SSLEnable:

SSLAttributeSet 2005 "GSK_TLS_SUPPORTED_GROUP_ECDHE_SECP256R1,G
SK_TLS_SUPPORTED_GROUP_ECDHE_SECP384R1,GSK_TLS_SUPPORTED_GROUP_
ECDHE_SECP521R1"BUFF
SSLAttributeSet 2006 "GSK_TLS_SUPPORTED_GROUP_ECDHE_SECP256R1,G
SK_TLS_SUPPORTED_GROUP_ECDHE_SECP384R1,GSK_TLS_SUPPORTED_GROUP_
ECDHE_SECP521R1"BUFF

This has the affect of disabling the two un-mentioned curves
(x25519 and x448)

Problem summary

  • ****************************************************************
* USERS AFFECTED:  All users of IBM HTTP Server on z/Linux     *
****************************************************************
* PROBLEM DESCRIPTION: TLSv13 connections may fail with        *
*                      SSL0209E errors reported in the log on  *
*                      z/Linux.                                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
TLSv13 connections may fail with SSL0209E errors reported in the
log on z/Linux.

Problem conclusion

  • Due to a known issue in GSKit, when curves x25519 or x448 are
negotiated on some z/Linux systems, the handshake will fail.
This fix removes these curves, leaving the following curves
enabled: SECP256R1, SECP384R1, and SECP521R1.

In the future when the underlying GSKit problem is resolved,
the change above will be reverted.

The fix for this APAR is targeted for inclusion in IBM HTTP
Server fix packs 9.0.5.10. For more information, see
'Recommended Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH39992
    • 

  • Reported component name
    IBM HTTP SERVER
    • 

  • Reported component ID
    5724J0801
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-08-20
    • 

  • Closed date
    2021-08-31
    • 

  • Last modified date
    2021-10-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SERVER
    • 

  • Fixed component ID
    5724J0801
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            13 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback