Fixes are available
APAR status
Closed as program error.
Error description
If SSL is enabled and "SSLClientAuth required" is used, there is no client certificate prompt as expected, when using the Internet Explorer browser and when multiple SSL virtualhosts are configured in IBM HTTP Server. The problem is seen when two SSL virtualhosts are configured and only one is asking for client certificates. SSLCacheDisable works around the issue but may cause performance problems because the session ID reuse will go down if multiple child processes are used and the internal cache is per-process. Steps to recreate the problem: 1. Enable SSL on IBM HTTP Server containing 2 VirtualHosts, one with port 443, the second for port 8443. 2. The Port 8443 is SSLClientAuth required. 3. Export the Http Server certificate into a PK12 file using the ikeyman tool. 4. Import the PK12 file into the Internet Explorer browser as a Personal Certificate. 5. Access the following URL (port 443), for example: https://<servername>/index.html Then for example, the HTML above contains the following link, associated with a button called, "AQUI": https://<servername>:8443/mypage.html" -->AQUI 6. Click on "AQUI", and you get the following error: "Forbidden You don't have permission to access /mypage.html on this server." The error.log shows the following error message: SSL0265W: Client did not supply a certificate. Three ways to bypass the Forbidden error above are: 1. In the httpd.conf, point port 8443 to a different IP Address. 2. Go to https://<servername>:8443/mypage.html directly, without passing by the test html on port 443. 3. Use a different browser other than Internet Explorer.
Local fix
SSLCacheDisable works around the issue but may cause performance problems because the session ID reuse will go down if multiple child processes are used and the internal cache is per-process.
Problem summary
**************************************************************** * USERS AFFECTED: IBM HTTP Server customers on all platforms * * but Windows and z/OS, with multiple SSL- * * enabled virtual hosts with different SSL * * configurations affecting SSL session * * establishment, such as whether or not a * * client certificate is required. * **************************************************************** * PROBLEM DESCRIPTION: On platforms other than Windows and * * z/OS, SSL sessions are cached without * * regard to the associated SSL * * configuration. A client can use an * * existing SSL session to connect to * * another virtual host, even without * * satisfying the requirements of that * * second virtual host (e.g., client * * certificate). * ****************************************************************
Problem conclusion
mod_ibm_ssl was changed to disallow the reuse of sessions between virtual hosts. This was implemented by adding a reference to the set of virtual host configuration to the hash used to find existing sessions. Clients will have to use a different SSL session for each SSL virtual host they communicate with. (Clients handle this automatically.) The APAR fix is targed for the following service packs: 6.0.2.19 6.1.0.9 Cumulative e-fix PK53584 for 2.0.47.1
Temporary fix
Comments
APAR Information
APAR number
PK37731
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
60I
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2007-01-19
Closed date
2007-03-07
Last modified date
2007-10-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
R61P PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
07 September 2022