Provide feedback on the IBM HTTP Server forum on IBM developerWorks.
Some clients, including some firmware levels or configurations of F5, are intolerant of the "Extended Premaster Secret" extension defined in RFC7627. The cliemt may close the connection immediately after the handshake completes. As a workaround, the following snippet can disable RFC7627 in the same context as SSLEnable:
SSLAttributeSet 4002 0
After PI73984, IHS does stricter checks on the format of the request line and HTTP headers. This includes but is not limited to extra whitespace in the status line, within header names, or invalid line endings. The HTTPProtocolOptions directive relaxes some, but not all, of the new checks.
IHS 8.5 on z/OS has a window where keepalive requests received while a process is shutting down may appear to hang. These are combinations where IHS is based on the event MPM. When a process is shutting down due to MaxSpareThreads, MaxRequestsPerChild, or a server-wide graceful restart, keepalive connections are not immediately closed. If a long-running requests delays the total exit of the process, and a client sends a request on an idle connection, it will appear to hang rather than getting a more immediate closure (as clients must be prepared for on any keepalive connection).
As a precaution, it's recommended to minimize child process exit during heavy load by configuring MaxSpareThreads as close as possible to MaxClients, keeping MaxRequestsPerChild at 0, and minimizing performing graceful restarts during high load.
APAR PI74119 drastically reduces the window.
See gather_highcpu_doc.html#GSKITICC_HIGHCPU
/usr/sbin/no -o tcptr_enable /usr/sbin/no -o tcp_rand_portThis is most likely to be a problem when the client connections are short-lived and come from only a handful of IP addresses.