IBM Support

PK61608: HTTP: CLIENT CERTIFICATE REVOCATION STATUS PERFORMANCE ENHANCEMENT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • HTTP Server v6.0
----------------

A change was added to improve performance of CRL functionality.

-----------------
Keywords: CRL Performance

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: IBM HTTP Server configurations with          *
* SSL Client Certificate revocation checking                   *
****************************************************************
* PROBLEM DESCRIPTION: Certificate Revocation List (CRL)       *
* checking slows as the number of revoked certificates grows   *
****************************************************************
* RECOMMENDATION: This fix is recommended for configurations   *
* where the directive SSLClientAuth contains the 'CRL' option  *
* and certificate revocation info is available via the OCSP    *
* protocol                                                     *
****************************************************************
CRL processing requires loading the entire list from the LDAP
server, and if the list is large then extensive CPU is
required to parse the list and check it at runtime.

    



Problem conclusion


    

  • IHS now has the option of using OCSP, a more efficient
certificate revocation checking protocol.  New directives
SSLOCSPEnable and SSLOCSPResponderURL are added and may be used
either in addition to or independently of the legacy CRL
checking.
.
Example:
<VirtualHost *:443>
  SSLEnable
  SSLClientAuth Required
  SSLOCSPResponderURL http://ocsp.example.com:2560/
</VirtualHost>
.
This fix is targeted for fix packs
  6.1.0.19
  6.0.2.29

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK61608
    • 

  • Reported component name
    IBM HTTP SERVER
    • 

  • Reported component ID
    5724J0801
    • 

  • Reported release
    60W
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2008-02-25
    • 

  • Closed date
    2008-04-16
    • 

  • Last modified date
    2008-04-16
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SERVER
    • 

  • Fixed component ID
    5724J0801
    • 



Applicable component levels


    

  • R60A  PSN
       UP
    • 

  • R60H  PSN
       UP
    • 

  • R60I  PSN
       UP
    • 

  • R60P  PSN
       UP
    • 

  • R60S  PSN
       UP
    • 

  • R60W  PSN
       UP
    • 

  • R60Z  PSN
       UP
    • 

  • R61A  PSN
       UP
    • 

  • R61H  PSN
       UP
    • 

  • R61I  PSN
       UP
    • 

  • R61P  PSN
       UP
    • 

  • R61S  PSN
       UP
    • 

  • R61W  PSN
       UP
    • 

  • R61Z  PSN
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 September 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback