Security: IBM HTTP Server interoperability with Internet Explorer 7 on Windows Vista
 Flash (Alert)
 
Abstract
The default Internet Explorer 7 settings on Windows® Vista enable Transport Layer Security extensions for all HTTPS connections and this has been found to cause HTTPS (SSL) initial handshake failures with certain levels of IBM® HTTP Server.
 
Content
When the initial SSL handshake from Internet Explorer 7 on Vista fails, Internet Explorer 7 will retry without Transport Layer Security extensions. The second handshake should succeed, however, the IBM HTTP Server error log will contain the following message due to the initial handshake failure:

[warn] SSL0235W: SSL Handshake Failed, Invalid peer.

Although the second handshake should succeed, there will be a degradation in performance. The following table shows the minimum service levels required to avoid the second handshake:

Version Minimum service level needed
6.1 No Fix Pack needed (Note 2)
6.0 Fix Pack 6.0.2.9 (Note 2)
2.0.47 PK29827 plus PK13784 (Note 4)
2.0.42 PK29827 plus PK16529 (Note 4)
1.3.28 PK27875 plus PK13784 (Note 4)
1.3.26 PK27875 plus PK16529 (Note 4)
1.3.19 Fix Pack 6 plus PK16529 (Note 4)

For additional information on the update path for each release of IBM HTTP Server, or to download the minimum service level needed, see:

  1. This problem does not occur when Internet Explorer 7 is running on Windows XP.
  2. There is no version of GSKit for IBM HTTP Server V6.0.2 or V6.1 on HP-UX PA-RISC which both supports Federal Information Processing Standards (FIPS) and will also avoid the above problem. If you require FIPS support, continue to use GSKit 7.0.3.9, which is provided with the current service levels of IBM HTTP Server V6.1 and V6.0.2. Upgrade GSKit to 7.0.3.20 (PK13784) if compatibility with Internet Explorer 7 on Vista is required. For all platforms other than HP-UX PA-RISC, the IBM HTTP Server V6.0.2.9 Fix Pack (or higher) will update GSKit to the required level.
  3. There is no version of GSKit for IBM HTTP Server 1.3.12 which both has a Denial of Service fix and will also avoid the above problem. IBM HTTP Server 1.3.12 Fix Pack 7 does not exhibit the above problem, however, it is recommended that APAR PQ86671 be applied on top of IBM HTTP Server 1.3.12 Fix Pack 7 in order to avoid a potential Denial of Service vulnerability. The GSKit version installed by APAR PQ86671 does exhibit the above problem. There are no plans to provide a GSKit for IBM HTTP Server 1.3.12 that will address both issues simultaneously.
  4. For versions of IBM HTTP Server where both an HTTP Server and GSKit update are provided in separate APARs, both APARs should be applied.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server IBM HTTP Server AIX, HP-UX, Linux, Solaris, Windows 6.1, 6.0, 5.1, 5.0 Base, Express, Network Deployment
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server
Operating system(s): Windows
Software version: 6.1
Software edition:
Reference #: 1245791
IBM Group: Software Group
Modified date: Sep 14, 2006