IBM Support

PI52299: TLS_FALLBACK_SCSV support for IBM HTTP Server

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Allow the TLS_FALLBACK_SCSV  pseudo cipher to be sent by IBM
    HTTP Server on distributed operating systems. This helps
    browsers from being fooled into downgrading TLS versions.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM HTTP Server with SSL enabled   *
    *                  and using TLS ciphers                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: Browsers could be fooled into           *
    *                      downgrading TLS versions.               *
    ****************************************************************
    * RECOMMENDATION:  Apply this fix if using IBM HTTP Server     *
    *                  with SSL enabled with TLS ciphers           *
    ****************************************************************
    The TLS_FALLBACK_SCSV extension has been enabled for inbound
    and outbound SSL.
    

Problem conclusion

  • IHS supports and sends TLS_FALLBACK_SCSV on distributed
    operating systems once this fix is applied.  This is enabled
    by default with this fix, but can be disabled by setting the
    directive 'SSLFallbackProtection OFF'
    
    This fix is targeted for IBM HTTP Server fix packs:
    - 7.0.0.41
    - 8.0.0.13
    - 8.5.5.9
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI52299

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-11-11

  • Closed date

    2016-02-26

  • Last modified date

    2016-02-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022