|
Abstract |
The default Internet Explorer 7 settings on Windows® Vista
enable Transport Layer Security extensions for all HTTPS connections and
this has been found to cause HTTPS (SSL) initial handshake failures with
certain levels of IBM® HTTP Server. |
|
Content |
When the initial SSL handshake from Internet Explorer 7 on
Vista fails, Internet Explorer 7 will retry without Transport Layer
Security extensions. The second handshake should succeed, however, the IBM
HTTP Server error log will contain the following message due to the
initial handshake failure:
[warn] SSL0235W: SSL Handshake Failed,
Invalid peer. |
Although the second handshake should succeed, there will be a degradation
in performance. The following table shows the minimum service levels
required to avoid the second handshake:
Version |
Minimum service level needed |
6.1 |
No Fix Pack needed (Note 2) |
6.0 |
Fix Pack 6.0.2.9 (Note 2) |
2.0.47 |
PK29827 plus PK13784 (Note 4) |
2.0.42 |
PK29827 plus PK16529 (Note 4) |
1.3.28 |
PK27875 plus PK13784 (Note 4) |
1.3.26 |
PK27875 plus PK16529 (Note 4) |
1.3.19 |
Fix Pack 6 plus PK16529 (Note 4) |
For additional information on the update path for each release of IBM
HTTP Server, or to download the minimum service level needed, see:
- This problem does not occur when Internet Explorer 7 is running on
Windows XP.
- There is no version of GSKit for IBM HTTP Server V6.0.2 or V6.1 on
HP-UX PA-RISC which both supports Federal Information Processing Standards
(FIPS) and will also avoid the above problem. If you require FIPS support,
continue to use GSKit 7.0.3.9, which is provided with the current service
levels of IBM HTTP Server V6.1 and V6.0.2. Upgrade GSKit to 7.0.3.20
(PK13784) if compatibility with Internet Explorer 7 on Vista is required.
For all platforms other than HP-UX PA-RISC, the IBM HTTP Server V6.0.2.9
Fix Pack (or higher) will update GSKit to the required level.
- There is no version of GSKit for IBM HTTP Server 1.3.12 which both has
a Denial of Service fix and will also avoid the above problem. IBM HTTP
Server 1.3.12 Fix Pack 7 does not exhibit the above problem, however, it
is recommended that APAR PQ86671 be applied on top of IBM HTTP Server
1.3.12 Fix Pack 7 in order to avoid a potential Denial of Service
vulnerability. The GSKit version installed by APAR PQ86671 does exhibit
the above problem. There are no plans to provide a GSKit for IBM HTTP
Server 1.3.12 that will address both issues simultaneously.
- For versions of IBM HTTP Server where both an HTTP Server and GSKit
update are provided in separate APARs, both APARs should be applied.
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
WebSphere Application Server |
IBM HTTP Server |
AIX, HP-UX, Linux, Solaris, Windows |
6.1, 6.0, 5.1, 5.0 |
Base, Express, Network Deployment |
|
|
|
|