SSL runtime problem mustgather¶
Other useful information¶
Common problems to check¶
Known IHS problems at startup or request processing issues to check first¶
SSL0104S: GSK could not initialize, Invalid password for keyfile.
SSL0208E: SSL Handshake Failed, Certificate validation error.
SSL0209E: SSL Handshake Failed, ERROR processing cryptography
SSL0210E: SSL Handshake Failed, ERROR validating ASN fields in certificate.
SSL0234W: SSL Handshake Failed, The certificate sent by the peer has expired or is invalid.
TLS1.2 connections don't work when enabled in IE9 or later¶
Some browsers won't accept a certificate chain that includes RSA+MD5 signature algorithm. You'll need a compliant certificate chain to handshake with them. Some analysis here
"Connection Interrupted" or "Internet explorer cannot view the web page" after installing a new certificate¶
Some browsers, primarily those on back-level Windows XP and Windows 2003 systems, do not support certificates with SHA2 signature algorithms.
The signature algorithm can be displayed with Ikeyman, or in numeric form with gsk7capicmd/gskcapicmd:
$ gsk7capicmd/gskcapicmd -cert -details -db key.kdb -pw XXX -label YYY
# 1.2.840.113549.1.1.11 is SHA256,
# legacy/traditional ones are 1.2.840.113549.1.1.14 and 1.2.840.113549.1.1.5)
Solution: You'll likely need to obtain a new certificate if you expect these older clients in practice.
Unexpected security popup in some browsers¶
If you're using an intermediate certificate (your server certificate isn't signed by one of a browser's default trusted root certificate authorities but is signed by an issuer who is in turn signed by a trusted CA), web browsers can improperly cache expired copies of the intermediate certificates. This can occur if in the past the user has clicked 'Trust site permanently' on a site that uses the same intermediate certificate authority.
Solution: Remove the expired cached copy of the intermediate certificate from the browser's SSL configuration.
Client Authentication is enabled but browser doesn't prompt for certificate¶
During the SSL handshake, the web server informs the browser of what Certificate Authorities it trusts to assist the browser in selecting the correct client certificate. If the browser detects that none of the user's client certificates would be validated given the list of certificate authorities sent by the server, the browser will NOT prompt the user for a certificate.
If a subset of the user's client certificates can be validated by the servers list of certificate authorities, the browser will display that partial list of certificates to the user.
Solution: The issuer of the client certificates must be added as a trusted Certificate Authority in the servers KeyFile.
Gathering documentation¶
IHS SSL problems¶
Turn on IBM HTTP Server verbose logging for SSL.
Append the LogLevel directive to httpd.conf:
IBM HTTP Server 9.0 and later:
LogLevel trace8
IBM HTTP Server 8.5.5 and earlier:
LogLevel debug
Append
SSLTrace
directive to httpd.conf:SSLTrace
Configure environment for IBM Global Security Kit (GSKit) trace
On z/OS, if your problem occurs after startup, you must specify a % character (process ID) or configure trace in GSKSRVR instead of using GSK_TRACE_FILE. Trace via GSK_TRACE_FILE (without % in the filename) is not safe for multi-process servers like IHS. Capturing Component Trace Data
Restart IBM HTTP Server.
Start an binary iptrace/packet capture that will show the interaction between the web browser and web server. This can be taken from the IHS server, the client machine, or both.
Possible tools include tcpdump, wireshark, iptrace. See http://www-01.ibm.com/support/docview.wss?uid=swg21175744 for more info.
Recreate the problem from the browser.
Save a screen capture of the browser window.
Send the following to IBM support:
web server error log, access log, and httpd.conf
Output from system and web server information, from ihsdiag collector tool
IBM Global Security Kit (GSKit) trace file
If a client certificate is in use, please include it along with any necessary CAs
IP trace file, unformatted
KDB file in use along with accompanying .sth/.crl/.rdb files as well as KDB password
Detail on time of request/handshake and IP address of client
Description of client and server trust chain with Certificate Authority in use
Details of cryptographic token configuration described above, when appropriate.