PM73304: ADD MOD_SSL'S SSLPROXYCHECKPEERCN TO IBM HTTP SERVER

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • mod_ssl provides a directive named "SSLProxyCheckPeerCN" which
    is not present in mod_ibm_ssl, but required for integration
    with mod_proxy.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM HTTP Server users with "SSLProxyEngine  *
    *                  ON" in their configuration                  *
    ****************************************************************
    * PROBLEM DESCRIPTION: IBM HTTP Server does not provide an     *
    *                      option to check the certificate of      *
    *                      servers mod_proxy is configured to      *
    *                      proxy to.                               *
    ****************************************************************
    * RECOMMENDATION:  Apply this fix and enable                   *
    *                  SSLProxyCheckPeerCn                         *
    *                  if "SSLProxyEngine" ON is configured and    *
    *                  backend checking of certificate details is  *
    *                  desired.                                    *
    ****************************************************************
    When mod_proxy connects to a backend SSL server, IBM HTTP
    Server validates the certificate but does not compare the
    common name to the backend server being connected to.
    

Problem conclusion

  • SSLProxyCheckPeerCn was added to mod_ibm_ssl which configures
    this backend certificate/hostname verificiation.  In future
    releases, SSLProxyCheckPeerCN will be enabled by default.
    
    This fix is targeted for IHS fixpacks:
     - 6.1.0.47
     - 7.0.0.27
     - 8.0.0.6
     - 8.5.0.2
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM73304

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-09-20

  • Closed date

    2012-10-08

  • Last modified date

    2012-10-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R61A PSY

       UP

  • R61H PSY

       UP

  • R61I PSY

       UP

  • R61P PSY

       UP

  • R61S PSY

       UP

  • R61W PSY

       UP

  • R61Z PSY

       UP

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM HTTP Server
Runtime

Software version:

7.0

Reference #:

PM73304

Modified date:

2012-10-08

Translate my page

Machine Translation

Content navigation