SSL0198W: System is running without a security library capable of directly rejecting insecure SSL client renegotiation
Problem(Abstract)
The following warning message is displayed in the IBM HTTP Server error log when the HTTP Server is started:
SSL0198W: System is running without a security library capable of directly rejecting insecure SSL client renegotiation. Aborting HTTPS requests that span SSL sessions.
Resolving the problem
It is strongly recommended that you upgrade your security library to a level that is aware of CVE-2009-3555. On distributed platforms, this is GSKit 7.0.4.27 or higher by way of PM00675. On z/OS, contact IBM support to obtain the proper maintenance level of System SSL.
In the absence of a security library updated for CVE-2009-3555, recent levels of IBM HTTP Server can track insecure negotiations manually and terminate HTTP requests that span TLS sessions. However, this is indirect enforcement, and is not the preferred mode of operation for a variety of reasons.
There is no immediate risk implied by the "SSL0198W" message.
After installing GSKit 7.0.4.27 (or higher) on distributed, or the latest System SSL library on z/OS, the HTTP Server will log the following message when started:
SSL0197I: Configured security library to reject insecure SSL client renegotiation.
This is a good message, which indicates that the security library (GSKit or System SSL) does have the appropriate fix to reject insecure SSL client renegotiation requests
댓글 없음:
댓글 쓰기