PM73304: ADD MOD_SSL'S SSLPROXYCHECKPEERCN TO IBM HTTP SERVER

Fixes are available

7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6

APAR status

Closed as program error.

Error description

mod_ssl provides a directive named "SSLProxyCheckPeerCN" which
is not present in mod_ibm_ssl, but required for integration
with mod_proxy.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  IBM HTTP Server users with "SSLProxyEngine  *
*                  ON" in their configuration                  *
****************************************************************
* PROBLEM DESCRIPTION: IBM HTTP Server does not provide an     *
*                      option to check the certificate of      *
*                      servers mod_proxy is configured to      *
*                      proxy to.                               *
****************************************************************
* RECOMMENDATION:  Apply this fix and enable                   *
*                  SSLProxyCheckPeerCn                         *
*                  if "SSLProxyEngine" ON is configured and    *
*                  backend checking of certificate details is  *
*                  desired.                                    *
****************************************************************
When mod_proxy connects to a backend SSL server, IBM HTTP
Server validates the certificate but does not compare the
common name to the backend server being connected to.

Problem conclusion

SSLProxyCheckPeerCn was added to mod_ibm_ssl which configures
this backend certificate/hostname verificiation.  In future
releases, SSLProxyCheckPeerCN will be enabled by default.

This fix is targeted for IHS fixpacks:
 - 6.1.0.47
 - 7.0.0.27
 - 8.0.0.6
 - 8.5.0.2

Temporary fix

Comments

APAR Information

APAR number
PM73304
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-09-20
Closed date
2012-10-08
Last modified date
2012-10-08

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801

Applicable component levels

R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP

Rate this page:

(0 users)Average rating

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Document information

IBM HTTP Server

Runtime

Software version:
7.0

Reference #:
PM73304

Modified date:
2012-10-08

PM73304: ADD MOD_SSL'S SSLPROXYCHECKPEERCN TO IBM HTTP SERVER

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

R700 PSY

R800 PSY

R850 PSY

Rate this page:

Copyright and trademark information

Rate this page:

Add comments

Document information

Translate my page

Content navigation

Footer links