APAR status
Closed as new function.
Error description
Allow TLS client certificate SAN extensions to be logged or queried.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM HTTP Server 8.5.5 and 9.0 * **************************************************************** * PROBLEM DESCRIPTION: TLS client certificate SAN extensions * * have been unavailable for query or * * logging. * **************************************************************** * RECOMMENDATION: Apply this fix * **************************************************************** SSL_CLIENT_SAN_DNSNAME, SSL_CLIENT_SAN_DIRECTORYNAME, SSL_CLIENT_SAN_IPADDRESS, SSL_CLIENT_SAN_RFC822NAME (email), and SSL_CLIENT_SAN_URI environment variables are added. Their value is a comma-separated list of values based on the client certificate. The n-th individual value is also available by appending _n to the variable name. The Apache expression parser is updated to allow evaluating these values in list context. SSLCLientAuthRequire is updated to allow tokens with the following syntax to be used for comparison: SAN<type>{0-3} e.g. SANDNSNAME0 or SANURI3. The SAN names are also added to the internal per-request environment variables in two forms, a comma-separated list such as SSL_CLIENT_SAN_DNSNAME and indexed such as SSL_CLIENT_SAN_DNSNAME_0. Unlike SSLCLientAuthRequire tokens, the indexes in environment variables can go beyond 3.
Problem conclusion
mod_ibm_ssl provides 'SSL_CLIENT_SAN' which accepts parameters of DNSNAME, DIRECTORYNAME, IPADDRESS, RFC822NAME, and URI which map to the different sub-types of Subject Alternative Name (SAN) extensions. For example: # Check for a value in the list of client cert Subject Alt Name extensions: Require expr "'example.com' -in SSL_CLIENT_SAN('DNSNAME')" This fix is targeted for IBM HTTP Server fix packs: - 8.5.5.18 - 9.0.5.4 For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH20989
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-01-15
Closed date
2020-05-05
Last modified date
2020-05-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
Document Information
Modified date:
07 September 2022