APAR status
Closed as program error.
Error description
On some systems, IHS may start returning handshake errors if all available RNGs quickly run into low entropy conditions: "Low entropy when generating seed data: fips-prng/SP800-90.c,384"
Local fix
SSLFatalErrorLimit mitigates the impact
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM HTTP Server * **************************************************************** * PROBLEM DESCRIPTION: IHS may return SSL0209E errors after a * * failure to obtain entropy needed to * * reseed the random number generator. * **************************************************************** * RECOMMENDATION: * **************************************************************** The security library in IHS already had the ability to fallback to an alternate TRNG source when in this state, but a programming error prevented it from being effective. Additionally, the default TRNG has been updated and some operations consume less entropy.
Problem conclusion
This APAR updates GSKit to 8.0.55.31 which has various improvements to RNG performance and failover. This release of GSKit also disables RSA key exchange when SSLFIPSEnable is enabled. The fix for this APAR is targeted for inclusion in IBM HTTP Server fix packs 8.5.5.24 and 9.0.5.16. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH44893
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-03-15
Closed date
2023-04-10
Last modified date
2023-04-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 April 2023