IBM Support

PK37731: NO CLIENT CERTIFICATE PROMPT WHEN MULTIPLE SSL VIRTUALHOSTS CONFIGURED IN IHS

Fixes are available

PK53584; 2.0.47.1: IBM HTTP Server 2.0.47 Cumulative Interim Fix
PK65782; 2.0.47.1: IBM HTTP Server V2.0.47 Cumulative Interim Fix

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • If SSL is enabled and "SSLClientAuth required" is used, there is
no client certificate prompt as expected, when using the
Internet Explorer browser and when multiple SSL virtualhosts
are configured in IBM HTTP Server.

The problem is seen when two SSL virtualhosts are configured
and only one is asking for client certificates.
SSLCacheDisable works around the issue but may cause
performance problems because the session ID reuse will go down
if multiple child processes are used and the internal cache is
per-process.

Steps to recreate the problem:

1. Enable SSL on IBM HTTP Server containing 2 VirtualHosts, one
with port 443, the second for port 8443.
2. The Port 8443 is SSLClientAuth required.
3. Export the Http Server certificate into a PK12 file using the
ikeyman tool.
4. Import the PK12 file into the Internet Explorer browser as a
Personal Certificate.
5. Access the following URL (port 443), for example:

https://<servername>/index.html

Then for example, the HTML above contains the following link,
associated with a button called, "AQUI":

https://<servername>:8443/mypage.html"  -->AQUI

6. Click on "AQUI", and you get the following error:

"Forbidden You don't have permission to access /mypage.html on
this server."

The error.log shows the following error message:

SSL0265W: Client did not supply a certificate.

Three ways to bypass the Forbidden error above are:

1. In the httpd.conf, point port 8443 to a different IP
Address.
2. Go to https://<servername>:8443/mypage.html directly,
without passing by the test html on port 443.
3. Use a different browser other than Internet Explorer.

Local fix

  • SSLCacheDisable works around the issue but may cause
performance problems because the session ID reuse will go down
if multiple child processes are used and the internal
cache is per-process.

Problem summary

  • ****************************************************************
* USERS AFFECTED: IBM HTTP Server customers on all platforms   *
*                 but Windows and z/OS, with multiple SSL-     *
*                 enabled virtual hosts with different SSL     *
*                 configurations affecting SSL session         *
*                 establishment, such as whether or not a      *
*                 client certificate is required.              *
****************************************************************
* PROBLEM DESCRIPTION: On platforms other than Windows and     *
*                      z/OS, SSL sessions are cached without   *
*                      regard to the associated SSL            *
*                      configuration.  A client can use an     *
*                      existing SSL session to connect to      *
*                      another virtual host, even without      *
*                      satisfying the requirements of that     *
*                      second virtual host (e.g., client       *
*                      certificate).                           *
****************************************************************

Problem conclusion

  • mod_ibm_ssl was changed to disallow the reuse of sessions
between virtual hosts.  This was implemented by adding a
reference to the set of virtual host configuration to the
hash used to find existing sessions.
Clients will have to use a different SSL session for each
SSL virtual host they communicate with.  (Clients handle this
automatically.)
The APAR fix is targed for the following service packs:
6.0.2.19
6.1.0.9
Cumulative e-fix PK53584 for 2.0.47.1

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK37731
    • 

  • Reported component name
    IBM HTTP SERVER
    • 

  • Reported component ID
    5724J0801
    • 

  • Reported release
    60I
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2007-01-19
    • 

  • Closed date
    2007-03-07
    • 

  • Last modified date
    2007-10-25
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SERVER
    • 

  • Fixed component ID
    5724J0801
    • 



Applicable component levels


    

  • R60A  PSN
       UP
    • 

  • R60H  PSN
       UP
    • 

  • R60P  PSN
       UP
    • 

  • R60I  PSN
       UP
    • 

  • R60S  PSN
       UP
    • 

  • R60Z  PSN
       UP
    • 

  • R61A  PSN
       UP
    • 

  • R61H  PSN
       UP
    • 

  • R61P  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 September 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback