How is IBM® HTTP Server (IHS) related to Open SSL?
On Apache HTTP Server, the SSL functionality is achieved using the module "mod_ssl" which is part of Open SSL. Even though the IBM HTTP Server is based on Apache, it does not use "mod_ssl" for SSL, but rather ships it's own Gskit implementation which interfaces with a module named "mod_ibm_ssl".
Furthermore, OpenSSL (mod_ssl) is not supported as a module within the IBM HTTP Server.
Vulnerabilities which are reported against OpenSSL do not apply to the IBM HTTP Server. For any relevant security issues with IHS, users are encouraged to apply the latest IBM HTTP Server fix pack levels to ensure the web server is patched with latest security fixes.
Display of included vulnerability fixes
The -V option of the httpd.exe command (Windows®) or the apachectl command (UNIX® and Linux®) will list the CVE ids of included vulnerability fixes. Example:
$ /opt/IHS602/bin/apachectl -V
Server version: IBM_HTTP_Server/220.127.116.11 Apache/2.0.47
Server built: Feb 28 2006 17:44:21
Build level: IHS60/web_IHS0609.04
Server's Module Magic Number: 20020903:4
Server compiled with....
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
Apache vulnerability fixes included:
CVE-2002-1156 CVE-2002-0840 CVE-2003-0132 CVE-2003-0134
CVE-2003-0189 CVE-2003-0245 CVE-2003-0254 CVE-2003-0253
CVE-2003-0192 CVE-2003-0789 CVE-2003-0542 CVE-2004-0174
CVE-2004-0493 CVE-2004-0747 CVE-2004-0786 CVE-2004-0809
CVE-2004-0942 CVE-2003-0020 CVE-2005-2088 CVE-2005-2728
CVE-2005-2491 CVE-2005-2970 CVE-2005-3352
This list does not necessarily include vulnerabilities which do not apply to IBM HTTP Server on any platform, such as mod_ssl vulnerabilities. It does not necessarily include vulnerabilities already fixed in the base level of Apache included in IBM HTTP Server.