Fix (APAR):  PH24493

Status:  Fix

Release:  8.5.5.17,8.5.5.16

Operating System:  AIX,HP-UX,Linux,Solaris,Windows

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  210109369

Date: 2020-05-19

Abstract:  ssl0209e with ihs 9.0.5.2 and later

Description/symptom of problem:  
PH24493 resolves the following problem:

ERROR DESCRIPTION:
SSL0209E with IHS 9.0.5.2 and later                             

LOCAL FIX:

PROBLEM SUMMARY:

USERS AFFECTED:
 All users of IBM HTTP Server

PROBLEM DESCRIPTION:
SSL handshakes in 9.0.5.2 or later
fail with SSL0209E in the error_log.

RECOMMENDATION:
None

If a TLS 1.3 connection is established then resumed on a new
connection, and the cipher used is TLS_AES_256_GCM_SHA384,
GSKit can fail and return GSK_ERROR_CRYPTO which results in IHS
logging an SSL0209E error.
Note: Many other causes of SSL0209E exist.

PROBLEM CONCLUSION:
GSKit will be updated to 8.0.55.15 or later to address the      
issue.                                                          
                                                                
In the meantime, an easy circumvention exists:                  
                                                                
SSLCipherSpec TLS13 -TLS_AES_256_GCM_SHA384                     
                                                                
                                                                
The fix for this APAR is targeted for inclusion in IBM HTTP     
Server fix packs 9.0.5.4.  For more information,                
see 'Recommended Updates for WebSphere Application Server':     
http://www.ibm.com/support/docview.wss?                         
rs=180&uid=swg27004980                                          


Directions to apply fix:  
Special Instructions: None

NOTE: The user must:
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require
  a newer version of the Installation Manager and the Installation Manager will
  inform you during the installation process if a newer version is required.
* Be logged in with the same authority level when unpacking a fix, fix pack, or
  refresh pack.

The IBM Knowledge Center can provide details, if needed, on the use of the
Installation Manager to apply the interim fix:
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.

1) Shutdown IBM HTTP Server
2) Apply the interim fix using Installation Manager
3) Restart IBM HTTP Server
Optional:
  From the IHS installation directory, run the following command to verify the
  version of GSKit that is installed:
   Unix:
      bin/gskver
   Windows:
      bin\gskver.bat

Directions to remove fix:  
The IBM Knowledge Center can provide details, if needed, on the use of the
Installation Manager to remove the interim fix:
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.

1) Shutdown IBM HTTP Server
2) Remove the interim fix using Installation Manager
3) Restart IBM HTTP Server


Directions to re-apply fix:  
1) Stop IBM HTTP Server.
2) Follow the directions to apply the fix.
3) Restart IBM HTTP Server.


Additional Information: