IHS and OpenSSL

Technote (FAQ)


Question

How is IBM® HTTP Server (IHS) related to Open SSL?

Answer

On Apache HTTP Server, the SSL functionality is achieved using the module "mod_ssl" which is part of Open SSL. Even though the IBM HTTP Server is based on Apache, it does not use "mod_ssl" for SSL, but rather ships it's own Gskit implementation which interfaces with a module named "mod_ibm_ssl".

Furthermore, OpenSSL (mod_ssl) is not supported as a module within the IBM HTTP Server.

Vulnerabilities which are reported against OpenSSL do not apply to the IBM HTTP Server.

For any relevant security issues with IHS, users are encouraged to apply the latest IBM HTTP Server fix pack levels to ensure the web server is patched with latest security fixes.


Display of included vulnerability fixes

The -V option of the httpd.exe command (Windows®) or the apachectl command (UNIX® and Linux®) will list the CVE ids of included vulnerability fixes. Example:

/IHS70/bin # ./apachectl -V
Server version: IBM_HTTP_Server/7.0.0.31 (Unix)
Apache version: 2.2.8 (with additional fixes)
Server built:   Sep 10 2013 11:42:42
Build level:    IHS70/webIHS1336.01
Server's Module Magic Number: 20051115:21
Server loaded:  APR 1.2.12, APR-Util 1.2.12
Compiled using: APR 1.2.12, APR-Util 1.2.12
Architecture:   32-bit
Server MPM:     Worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/worker"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/IBMIHS"
 -D SUEXEC_BIN="/usr/IBMIHS/bin/suexec"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
Apache vulnerability fixes included:
  CVE-2005-3352  CVE-2005-3357  CVE-2006-3918  CVE-2006-3747
  CVE-2007-4465  CVE-2007-1862  CVE-2006-5752  CVE-2007-3304
  CVE-2007-1863  CVE-2007-3847  CVE-2008-0005  CVE-2007-5000
  CVE-2007-6388  CVE-2007-6422  CVE-2007-6421  CVE-2006-7225
  CVE-2007-6420  CVE-2008-2364  CVE-2008-2939  CVE-2009-1195
  CVE-2009-1955  CVE-2009-0023  CVE-2009-1956  CVE-2009-1890
  CVE-2009-1891  CVE-2009-2412  CVE-2009-1191  CVE-2009-3094
  CVE-2009-3095  CVE-2009-3555  CVE-2010-0408  CVE-2010-0434
  CVE-2010-1452  CVE-2010-1623  CVE-2009-3560  CVE-2009-3720
  CVE-2011-0419  CVE-2011-1928  CVE-2011-3192  CVE-2011-3348
  CVE-2011-3368  CVE-2011-3639  CVE-2011-4317  CVE-2011-3607
  CVE-2012-0717  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883
  CVE-2012-2190  CVE-2012-2191  CVE-2012-2687  CVE-2012-4558
  CVE-2012-3499  CVE-2012-4557  CVE-2013-0169  CVE-2013-1862
  CVE-2013-1896

This list does not necessarily include vulnerabilities which do not apply to IBM HTTP Server on any platform, such as mod_ssl vulnerabilities. It does not necessarily include vulnerabilities already fixed in the base level of Apache included in IBM HTTP Server.

Related information

Open SSL
IBM HTTP Server Support

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM HTTP Server
SSL

Software version:

2.0, 6.0, 6.1, 7.0, 8.0, 8.5

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Edition Independent

Reference #:

1383959

Modified date:

2014-06-13

Translate my page

Machine Translation

Content navigation