APAR status
Closed as program error.
Error description
'SSLClientAuth required' directive triggers HTTP access control without notification to browser at SSL layer
Local fix
No workaround available.
Problem summary
**************************************************************** * USERS AFFECTED: IBM HTTP Server configurations with * * "SSLClientAuth required" and clients connecting with * * removable cryptographic devices * **************************************************************** * PROBLEM DESCRIPTION: When "SSLClientAuth required" is * * specified, and a client does not supply a certificate, IHS * * sends the client an HTTP Forbidden (403) response. Browsers * * do not equate this HTTP error with their failure to * * provide an SSL client certificate, so they do not know to * * reconsider their internal SSL keyrings on subsequent SSL * * requests. * **************************************************************** * RECOMMENDATION: This fix is recommended for configurations * * where the directive SSLClientAuth contains the 'required' * * or '2' option and users routinely add new SSL client * * certificates to their browsers. * **************************************************************** In the case of removable cryptographic devices or smart cards, there is no opportunity after receiving the 403 response to insert the removable device and re-connect with a newly added SSL client certificate.
Problem conclusion
IHS now has the option of sending a fatal SSL-level Alert to the client when an SSL client certificate is required but has not been provided by the client. This notification is sufficient for common browsers to re-interrogate their SSL state, giving the browser an opportunity to use a newly available SSL client certificate on a subsequent SSL request. A new argument to the "SSLClientAuth" directive is provided that enables the new behavior. The new option, "required_reset", is identical to the existing "required" option except for the fatal SSL handshake alert in the case where no client certificiate is provided. Example: <VirtualHost *:443> SSLEnable SSLClientAuth required_reset </VirtualHost> Note: GSKit 7.0.4.19 or higher is required to enable the new option, "SSLClientAuth required_reset". This fix is targeted for fix packs 6.1.0.21 6.0.2.33
Temporary fix
Comments
APAR Information
APAR number
PK69212
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
60A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2008-07-17
Closed date
2008-08-06
Last modified date
2008-08-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60W PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
R61P PSN
UP
R61I PSN
UP
R61S PSN
UP
R61W PSN
UP
R61Z PSN
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0"}]
Document Information
Modified date:
07 September 2022