APAR status
Closed as new function.
Error description
Remove RSA key exchange ciphers from defaults where ECDHE is available.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM HTTP Server * **************************************************************** * PROBLEM DESCRIPTION: SSL ciphers that use RSA key exchange * * should not be enabled by default when * * ECDHE is available. * **************************************************************** * RECOMMENDATION: * **************************************************************** IHS supports SSL ciphers with two key exchange methods, RSA and ECDHE. ECDHE key exchange has the benefit of providing "forward secrecy". Further, common IT scanners report all RSA ciphers as being vulnerable to ROBOT.
Problem conclusion
The default list of ciphers was updated to exclude SSL ciphers that use RSA key exchange, leaving only ECDHE. 1. This has no effect on TLS 1.3, where RSA key exchange was never supported 2. On z/OS IHS 8.5.5 does not enable ECDHE ciphers by default, because they can fail at runtime if system configuration has not been performed. The default ciphers remain unchanged. 3. On z/OS in IHS 9.0, IHS checks at startup to determine if the system appears setup to use ECDHE, IHS prior to this APAR would enable both RSA and ECDHE. After this APAR, only ECDHE is enabled. 4. The RSA ciphers that were used by default prior to this APAR can be re-enabled using a "pseudo cipher" with the name "RSA". SSLCipherSPEC ALL +RSA Which is equivalent to SSLCipherSpec ALL +9C 9D +3C +3D +2F +35B The fix for this APAR is targeted for inclusion in IBM HTTP Server fix packs 8.5.5.24 and 9.0.5.15. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH51473
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-12-14
Closed date
2023-01-30
Last modified date
2023-01-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 January 2023