IBM Support

PH49311: TLS1.3 CLIENT AUTHENTICATION FAILURES WITH RECENT GNUTLS CLIENTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When client authentication is used with TLS 1.3, recent
GNUTLS-based clients may return a fatal error when IHS sends a
mid-handshake CertificateRequest message with a non-zero length
"context"

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM HTTP Server with client    *
*                  authentication enabled.                     *
****************************************************************
* PROBLEM DESCRIPTION: When TLS client authentication is       *
*                      enabled, some clients may fail to       *
*                      handshake over TLS                      *
*                      1.3.                                    *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When TLS client authentication is used over TLS 1.3, the
CertificateRequest message sent by the server
should have a zero-length "Context" field if sent during the
initial handshake and a non-zero length
"Context" field when sent post-handshake.
IHS only ever sends CertificateRequest messages during the
handshake, never after.
GSKit versions prior to 8.0.55.29 always send a non zero-length
"Context" field when the client supports
post handshake authentication, even if the server is not using
it.
Recent builds of the GNUTLS library fail when the context is
unexpectedly non-empty.

    



Problem conclusion


    

  • The included level of the IBM GSKit library was updated to
8.0.55.29 or later, which includes a fix to send the empty
"Context" parameter during mid-handshake CertificateRequest
messages.

Note: This cumulative GSKit update occurs in 8.5.5 as well, even
though the problem described in this APAR cannot be reached in
IHS 8.5.5 due to TLS 1.3 not being supported.

The fix for this APAR is targeted for inclusion in IBM HTTP
Server fix packs 8.5.5.23 and 9.0.5.14. For more information,
see 'Recommended Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH49311
    • 

  • Reported component name
    IBM HTTP SERVER
    • 

  • Reported component ID
    5724J0801
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-09-07
    • 

  • Closed date
    2022-09-07
    • 

  • Last modified date
    2022-09-07
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SERVER
    • 

  • Fixed component ID
    5724J0801
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            08 September 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback