APAR status
Closed as program error.
Error description
IBM HTTP Server v6.0 -------------------- mod_proxy_connect may timeout when SSL is enabled and client sends an SSL frame with a size between 8K and 16K.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM HTTP Server configurations with all of * * "ProxyRequests on", mod_proxy_connect loaded, and proxy * * clients connecting via a VirtualHost with SSLEnable * **************************************************************** * PROBLEM DESCRIPTION: mod_proxy_connect may timeout when it * * processes incoming SSL requests where the SSL record length * * is between 8 and 16 kilobytes. * **************************************************************** * RECOMMENDATION: Generally browser-based clients do not * * simultaneously use SSL on the connection to the proxy server * * and the CONNECT protocol of mod_proxy_connect. If a custom * * client that uses both SSL and the CONNECT protocol is using * * IHS as a forward proxy, customers should apply this fix * **************************************************************** mod_proxy_connect creates a tunnel between the client and the origin server, and is traditionally reading from a plaintext connection on the client side. In the case that the client is using SSL for the forward proxy connection, mod_proxy_connect fails to recognize that new data is available from the client because it has been buffered by the GSKit security library. Because mod_proxy_connect reads data 8 kilobytes at a time, only when the SSL record exceeded 8 kilobytes did GSKit have an opportunity to buffer the data.
Problem conclusion
mod_proxy_connect has been modified to always read all pending data from the GSKit security library before calling poll() on the native SSL socket. This avoids sleeping on a socket for which the GSKit security library has already read all outstanding data. This fix is targeted for fix packs 6.1.0.21 6.0.2.33
Temporary fix
Comments
APAR Information
APAR number
PK68688
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
60I
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2008-07-08
Closed date
2008-08-06
Last modified date
2008-08-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
PRXYCNCT
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60W PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
R61P PSN
UP
R61I PSN
UP
R61S PSN
UP
R61W PSN
UP
R61Z PSN
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0"}]
Document Information
Modified date:
07 September 2022