PQ74834: WHEN CHECKING BROWSER'S ENCRYPTION LEVEL, KEYS ARE TRANSLATING TO SHORT FORM INSTEAD OF FULL NAME

 Fixes are available

5.0.2: WebSphere Application Server Version 5.0 Fix Pack 2 (Version 5.0.2)
PQ86603: IBM HTTP Server V2.0.x mod_alias/mod_rewrite conflict with V5.0 plug-in



APAR status
Closed as program error.

Error description
Problem occurs when using Internet Explorer 5.5, with 128 bits
encryption to browse the site using https.  We have an
encryption checking function in our application on the WAS 5
server. It checks the encryption ciper specifications from the
browser to find out which encryption level of te browser.  If
the level is less than 128, the https is not allowed to use for
the site. For Internet Explorer 5.5 with 128 bits encryption,
the cipher spec is "SSL_RSA_WITH_RC4_128_SHA", but WAS received
as "RC4-SHA".  For Netscape 4.7 with 128 bits encryption, the
cipher spec is "SSL_RSA_WITH_RC4_128_MD5",  but WAS receives
it as "RC4-MD5". When bypassing the WebServer and the Plugin,
the cipher spec is delivered correctly.
Local fix
The customer modified their application to accept the short
description.  This allowed the application to work as a
work around.
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users.      *
****************************************************************
* PROBLEM DESCRIPTION: Corrected the mapping for cipher        *
*                      suite names                             *
*                      TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      *
*                      and TLS_RSA_EXPORT1024_WITH_DES_C       *
*                      BC_SHA so the correct cipher name is    *
*                      sent to the appserver (per OpenSSL      *
*                      standards).                             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Because the set of possible cipher suite names vary depending
on the webserver, cipher suite names are normalized in the
plugin before being forwarded to the Application Server.  This
defect corrected the mapping for
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA and
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA.

The mappings for the cipher suite names are below:
IHS LONG NAME                         SHORT NAME
SSL_DES_192_EDE3_CBC_WITH_MD5         DES-CBC3-MD5
SSL_RC4_128_WITH_MD5                  RC4-MD5
SSL_RC2_CBC_128_CBC_WITH_MD5          RC2-MD5
SSL_DES_64_CBC_WITH_MD5               DES-CBC-MD5
SSL_RC4_128_EXPORT40_WITH_MD5         EXP-RC4-MD5
SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA         DES-CBC3-SHA
SSL_RSA_WITH_RC4_128_SHA              RC4-SHA
SSL_RSA_WITH_RC4_128_MD5              RC4-MD5
SSL_RSA_WITH_DES_CBC_SHA              DES-CBC-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5        EXP-RC4-MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5    EXP-RC2-CBC-MD5
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA    EXP1024-RC4-SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA   EXP1024-DES-CBC-SHA

IPLANET/SUNONE LONG NAME              SHORT NAME
DES-EDE3-CBC_168                      DES-CBC3-MD5
RC4_128                               RC4-MD5
RC2-CBC_128                           RC2-MD5
DES-CBC_56                            DES-CBC-MD5
RC4-Export_40                         EXP-RC4-MD5
RC2-CBC-Export_40                     EXP-RC2-MD5
3DES-EDE-CBC_168                      DES-CBC3-SHA
RC4_128                               RC4-MD5
DES-CBC_56                            DES-CBC-SHA
RC4-40_40                             EXP-RC4-MD5
RC2-CBC-40_40                         EXP-RC2-CBC-MD5
Customers who need to know the exact cipher name in their
application should refer to the above list.
Problem conclusion
Updated the plugin so that cipher suite names
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA and
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA correctly mapped to
EXP1024-RC4-SHA and EXP1024-DES-CBC-SHA respectively.
Temporary fix Comments
APAR information
APAR number PQ74834
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-06-03
Closed date 2003-06-03
Last modified date 2003-06-13

APAR is sysrouted FROM one or more of the following:
PQ74219

APAR is sysrouted TO one or more of the following:

Modules/Macros
Plugin          

Publications Referenced

Fix information
Fixed component name WAS BASE 5.0
Fixed component ID 5630A3600

Applicable component levels
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00S PSY    UP
R00W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00A
Software edition:
Reference #: PQ74834
IBM Group: Software Group
Modified date: Jun 13, 2003