IBM Support

PM87247: Additional certificate attributes are needed as fields accessible to the SSLClientAuthRequire directive

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • The SSLClientAuthRequire directive should be able to access
    additional certificate attributes to allow more possibilities
    for restricting access by uniquely identifying clients.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM HTTP Server users with SSL enabled and  *
    *                  using the SSLClientAuthRequire directive    *
    ****************************************************************
    * PROBLEM DESCRIPTION: Some certificate attributes were not    *
    *                      available as expected to the            *
    *                      SSLClientAuthRequire directive          *
    ****************************************************************
    * RECOMMENDATION:  Apply this fix if using                     *
    *                  SSLClientAuthRequire and you need the       *
    *                  additional certificate attributes.          *
    ****************************************************************
    Three additional certificate attributes were made available to
    SSLClientAuthRequire:
    Long Name      / Short Name / value
    -------------------------------------------
    FINGERPRINT    / FP         / sha1 fingerprint
    (distributed platforms only)
    FINGERPRINT256 / FP256      / sha256 fingerprint
    (distributed platforms only)
    SERIAL         / SN         / serial number of cert.
    Three corresponding environment variables were also added
    accessible to mod_rewrite, setenvif, and logging:
    - SSL_CLIENT_SERIALNUM
    - SSL_CLIENT_SHA1
    - SSL_CLIENT_SHA256
    The fingerprint format is hex characters with no separator.
    The serial number is hex characters separated by colons.
    

Problem conclusion

  • Additional certificate attributes were made available to the
    SSLClientAuthRequire directive.
    
    This fix is targeted for IBM HTTP Server fix packs packs:
     - 8.0.0.7
     - 8.5.5.1
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM87247

  • Reported component name

    IHS HV REDHAT

  • Reported component ID

    5725C0400

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2013-04-17

  • Closed date

    2013-05-31

  • Last modified date

    2013-05-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022