IBM Support

PK69212: 'SSLCLIENTAUTH REQUIRED' DIRECTIVE TRIGGERS HTTP ACCESS CONTROL WITHOUT NOTIFICATION TO BROWSER AT SSL LAYER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • 'SSLClientAuth required' directive triggers HTTP access control
    without notification to browser at SSL layer
    

Local fix

  • No workaround available.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: IBM HTTP Server configurations with          *
    * "SSLClientAuth required" and clients connecting with         *
    * removable cryptographic devices                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: When "SSLClientAuth required" is        *
    * specified, and a client does not supply a certificate, IHS   *
    * sends the client an HTTP Forbidden (403) response.  Browsers *
    * do not equate this HTTP error with their failure to          *
    * provide an SSL client certificate, so they do not know to    *
    * reconsider their internal SSL keyrings on subsequent SSL     *
    * requests.                                                    *
    ****************************************************************
    * RECOMMENDATION: This fix is recommended for configurations   *
    * where the directive SSLClientAuth contains the 'required'    *
    * or '2' option and users routinely add new SSL client         *
    * certificates to their browsers.                              *
    ****************************************************************
    
    In the case of removable cryptographic devices or smart cards,
    there is no opportunity after receiving the 403 response
    to insert the removable device and re-connect with a newly
    added SSL client certificate.
    

Problem conclusion

  • IHS now has the option of sending a fatal SSL-level Alert to
    the client when an SSL client certificate is required but has
    not been provided by the client. This notification is
    sufficient for common browsers to re-interrogate their SSL
    state, giving the browser an opportunity to use a newly
    available SSL client certificate on a subsequent SSL request.
    
    A new argument to the "SSLClientAuth" directive is provided
    that enables the new behavior.  The new option,
    "required_reset", is identical to the existing "required"
    option except for the fatal SSL handshake alert in the case
    where no client certificiate is provided.
    
    Example:
    
    <VirtualHost *:443>
      SSLEnable
      SSLClientAuth required_reset
    </VirtualHost>
    
    Note: GSKit 7.0.4.19 or higher is required to enable the
    new option, "SSLClientAuth required_reset".
    
    This fix is targeted for fix packs
      6.1.0.21
      6.0.2.33
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK69212

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    60A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2008-07-17

  • Closed date

    2008-08-06

  • Last modified date

    2008-08-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R60A PSN

       UP

  • R60H PSN

       UP

  • R60P PSN

       UP

  • R60I PSN

       UP

  • R60S PSN

       UP

  • R60W PSN

       UP

  • R60Z PSN

       UP

  • R61A PSN

       UP

  • R61H PSN

       UP

  • R61P PSN

       UP

  • R61I PSN

       UP

  • R61S PSN

       UP

  • R61W PSN

       UP

  • R61Z PSN

       UP

[{"Line of Business":[],"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0"}]

Document Information

Modified date:
25 September 2020