IBM Support

PH23397: SSLClientAuthVerify OFF improvement for expired certificates

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

  • When an expired cert is allowed with  é ÁSSLClientAuthVerify OFF
it is not possible to retrieve the certificate details.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  Users of IBM HTTP Server 9.0                *
****************************************************************
* PROBLEM DESCRIPTION: Improvements needed for expired         *
*                      certificates with                       *
*                       é ÁSSLClientAuthVerify OFF é Á
****************************************************************
* RECOMMENDATION:  Apply this fix if using                     *
*                   é ÁSSLClientAuthVerify OFF é Á
****************************************************************
'SSLCLientAuth optional noverify' is extended with optional
additional parameters noverify_allow_expired and
noverify_record_expired.
* noverify_allow_expired allows certificates or certificate
chains with expired certificates to be accepted as valid.
* noverify_record_expired adds all certificate details to
internal variables referenced by other parts of the server,
but still subjects requests on this connection to
SSLClientAuthVerify checks.

    



Problem conclusion


    

  • Additional optional parameters were added for use when
 é ÁSSLClientAuthVerify OFF é Á is set.

This fix is targeted for IBM HTTP Server fix packs:
- 9.0.5.4

For more information, see 'Recommended Updates for WebSphere
Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH23397
    • 

  • Reported component name
    IBM HTTP SERVER
    • 

  • Reported component ID
    5724J0801
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-03-18
    • 

  • Closed date
    2020-05-05
    • 

  • Last modified date
    2020-05-05
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SERVER
    • 

  • Fixed component ID
    5724J0801
    • 



Applicable component levels


    

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 September 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback