PQ74834: WHEN CHECKING BROWSER'S ENCRYPTION LEVEL, KEYS ARE TRANSLATING TO SHORT FORM INSTEAD OF FULL NAME | |||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Problem occurs when using Internet Explorer 5.5, with 128 bits encryption to browse the site using https. We have an encryption checking function in our application on the WAS 5 server. It checks the encryption ciper specifications from the browser to find out which encryption level of te browser. If the level is less than 128, the https is not allowed to use for the site. For Internet Explorer 5.5 with 128 bits encryption, the cipher spec is "SSL_RSA_WITH_RC4_128_SHA", but WAS received as "RC4-SHA". For Netscape 4.7 with 128 bits encryption, the cipher spec is "SSL_RSA_WITH_RC4_128_MD5", but WAS receives it as "RC4-MD5". When bypassing the WebServer and the Plugin, the cipher spec is delivered correctly.Local fix The customer modified their application to accept the short description. This allowed the application to work as a work around.Problem summary **************************************************************** * USERS AFFECTED: All WebSphere Application Server users. * **************************************************************** * PROBLEM DESCRIPTION: Corrected the mapping for cipher * * suite names * * TLS_RSA_EXPORT1024_WITH_RC4_56_SHA * * and TLS_RSA_EXPORT1024_WITH_DES_C * * BC_SHA so the correct cipher name is * * sent to the appserver (per OpenSSL * * standards). * **************************************************************** * RECOMMENDATION: * **************************************************************** Because the set of possible cipher suite names vary depending on the webserver, cipher suite names are normalized in the plugin before being forwarded to the Application Server. This defect corrected the mapping for TLS_RSA_EXPORT1024_WITH_RC4_56_SHA and TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA. The mappings for the cipher suite names are below: IHS LONG NAME SHORT NAME SSL_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 SSL_RC4_128_WITH_MD5 RC4-MD5 SSL_RC2_CBC_128_CBC_WITH_MD5 RC2-MD5 SSL_DES_64_CBC_WITH_MD5 DES-CBC-MD5 SSL_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA SSL_RSA_WITH_RC4_128_SHA RC4-SHA SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA IPLANET/SUNONE LONG NAME SHORT NAME DES-EDE3-CBC_168 DES-CBC3-MD5 RC4_128 RC4-MD5 RC2-CBC_128 RC2-MD5 DES-CBC_56 DES-CBC-MD5 RC4-Export_40 EXP-RC4-MD5 RC2-CBC-Export_40 EXP-RC2-MD5 3DES-EDE-CBC_168 DES-CBC3-SHA RC4_128 RC4-MD5 DES-CBC_56 DES-CBC-SHA RC4-40_40 EXP-RC4-MD5 RC2-CBC-40_40 EXP-RC2-CBC-MD5 Customers who need to know the exact cipher name in their application should refer to the above list.Problem conclusion Updated the plugin so that cipher suite names TLS_RSA_EXPORT1024_WITH_RC4_56_SHA and TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA correctly mapped to EXP1024-RC4-SHA and EXP1024-DES-CBC-SHA respectively.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PQ74219 APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 00A
Software edition:
Reference #: PQ74834
IBM Group: Software Group
Modified date: Jun 13, 2003
(C) Copyright IBM Corporation 2000, 2008. All Rights Reserved.