SSL runtime problem mustgather

Other useful information

• Cryptographic Hardware FAQ, including runtime issues unique to cryptographic offload

• Ikeyman FAQ/Mustgather

Common problems to check

Known IHS problems at startup or request processing issues to check first

• SSL0102S: GSK could not initialize, Could not open keyfile.

• SSL0104S: GSK could not initialize, Invalid password for keyfile.

• SSL0108E: Initialization error, GSK internal error.

• SSL0208E: SSL Handshake Failed, Certificate validation error.

• SSL0209E: SSL Handshake Failed, ERROR processing cryptography

• SSL0210E: SSL Handshake Failed, ERROR validating ASN fields in certificate.

• SSL0222W: SSL Handshake Failed, No ciphers specified.

• SSL0223E: SSL Handshake Failed, No certificate.

• SSL0234W: SSL Handshake Failed, The certificate sent by the peer has expired or is invalid.

• SSL0240I: SSL Handshake Failed, Socket has been closed.

TLS1.2 connections don't work when enabled in IE9 or later

Some browsers won't accept a certificate chain that includes RSA+MD5 signature algorithm. You'll need a compliant certificate chain to handshake with them. Some analysis here

"Connection Interrupted" or "Internet explorer cannot view the web page" after installing a new certificate

Some browsers, primarily those on back-level Windows XP and Windows 2003 systems, do not support certificates with SHA2 signature algorithms.

The signature algorithm can be displayed with Ikeyman, or in numeric form with gsk7capicmd/gskcapicmd:

$ gsk7capicmd/gskcapicmd -cert -details -db key.kdb -pw XXX -label YYY
# 1.2.840.113549.1.1.11 is SHA256, 
# legacy/traditional ones are 1.2.840.113549.1.1.14 and 1.2.840.113549.1.1.5)

Solution: You'll likely need to obtain a new certificate if you expect these older clients in practice.

Unexpected security popup in some browsers

If you're using an intermediate certificate (your server certificate isn't signed by one of a browser's default trusted root certificate authorities but is signed by an issuer who is in turn signed by a trusted CA), web browsers can improperly cache expired copies of the intermediate certificates. This can occur if in the past the user has clicked 'Trust site permanently' on a site that uses the same intermediate certificate authority.

Solution: Remove the expired cached copy of the intermediate certificate from the browser's SSL configuration.

Client Authentication is enabled but browser doesn't prompt for certificate

During the SSL handshake, the web server informs the browser of what Certificate Authorities it trusts to assist the browser in selecting the correct client certificate. If the browser detects that none of the user's client certificates would be validated given the list of certificate authorities sent by the server, the browser will NOT prompt the user for a certificate.

If a subset of the user's client certificates can be validated by the servers list of certificate authorities, the browser will display that partial list of certificates to the user.

Solution: The issuer of the client certificates must be added as a trusted Certificate Authority in the servers KeyFile.

Gathering documentation

IHS SSL problems

1. Turn on IBM HTTP Server verbose logging for SSL.

   • Append the LogLevel directive to httpd.conf:

     • IBM HTTP Server 9.0 and later:

       • LogLevel trace8

     • IBM HTTP Server 8.5.5 and earlier:

       • LogLevel debug

   • Append SSLTrace directive to httpd.conf:

     • SSLTrace

2. Configure environment for IBM Global Security Kit (GSKit) trace

3. On z/OS, if your problem occurs after startup, you must specify a % character (process ID) or configure trace in GSKSRVR instead of using GSK_TRACE_FILE. Trace via GSK_TRACE_FILE (without % in the filename) is not safe for multi-process servers like IHS. Capturing Component Trace Data

4. Restart IBM HTTP Server.

5. Start an binary iptrace/packet capture that will show the interaction between the web browser and web server. This can be taken from the IHS server, the client machine, or both.

   Possible tools include tcpdump, wireshark, iptrace. See http://www-01.ibm.com/support/docview.wss?uid=swg21175744 for more info.

6. Recreate the problem from the browser.

7. Save a screen capture of the browser window.

8. Send the following to IBM support:

   • web server error log, access log, and httpd.conf

   • Output from system and web server information, from ihsdiag collector tool

   • IBM Global Security Kit (GSKit) trace file

   • If a client certificate is in use, please include it along with any necessary CAs

   • IP trace file, unformatted

   • KDB file in use along with accompanying .sth/.crl/.rdb files as well as KDB password

   • Detail on time of request/handshake and IP address of client

   • Description of client and server trust chain with Certificate Authority in use

   • Details of cryptographic token configuration described above, when appropriate.