Patch Name: PHSS_16186 Patch Description: s700_800 10.24 US/Canada VirtualVault A.03.00 NES SSL fix Creation Date: 98/08/19 Post Date: 98/08/24 Repost: 02/08/28 The patch documentation was modified to remove comments about the patch being restricted from export by the Bureau of Export Administration. The Virtualvault product is no longer under this restriction, so these comments were removed from the patch documentation. The patch is now available on the HP IT Resource Center and can be exported outside of the U.S. and Canada. Hardware Platforms - OS Releases: s700: 10.24 s800: 10.24 Products: VirtualVault/SAFE A.03.00 US/Canada Release Filesets: VaultTS.INES-US VaultNES.NES-US Automatic Reboot?: Yes Status: General Release Critical: No (superseded patches were critical) PHSS_15935: OTHER Sessions encrypted with previous versions of Netscape's Enterprise or Administration servers can potentially be decrypted. Path Name: /hp-ux_patches/s700_800/10.X/PHSS_16186 Symptoms: PHSS_16186: When running VirtualVault US/Canada 3.0 system with a VeriSign GSID certificate installed and Stronger Ciphers: Require 128 bit for SSL access is enabled, the export browser receives "Insufficient encryption" error. Hitting Reload however serves the requested page. This error does not occur when Allow 40 bit for SSL access is enabled. PHSS_15935: The Million Question vulnerability affects the use of RSA Data Security encryption algorithms with Netscape server products that support Secure Sockets Layer (SSL). The nature of the vulnerability is that a single encrypted SSL network conversation could be recorded and subsequently decrypted. The Netscape Enterprise Server Release 2.01 is embedded in the VirtualVault A.03.00 release. Defect Description: PHSS_16186: International GSID certificates must perform two separate SSL handshakes with the export browser, first at 40 bit secret, then step-up to 128 bit encryption. The "Insufficient encryption" error occurs during the intermediate 40 bit handshake when the Requires 128 for access option is enabled. The error should not be displayed for GSID certificates. PHSS_15935: The Million Question vulnerability affects the use of RSA Data Security encryption algorithms with Netscape server products that support Secure Sockets Layer (SSL). The nature of the vulnerability is that a single encrypted SSL network conversation could be recorded and subsequently decrypted. The Netscape Enterprise Server Release 2.01 is embedded in the VirtualVault A.03.00 release. SR: 4701395525 1653271726 Patch Files: /var/opt/vaultTS/inside/nsbase/bin/https/ns-httpd /var/opt/vaultTS/outside/nsbase/bin/https/ns-httpd /var/opt/vaultTS/outside/nsbase/admserv/ns-admin /var/opt/vaultTS/inside/nsbase/bin/https/libnshttpd.sl /var/opt/vaultTS/outside/nsbase/bin/https/libnshttpd.sl what(1) Output: /var/opt/vaultTS/inside/nsbase/bin/https/ns-httpd: None /var/opt/vaultTS/outside/nsbase/bin/https/ns-httpd: None /var/opt/vaultTS/outside/nsbase/admserv/ns-admin: None /var/opt/vaultTS/inside/nsbase/bin/https/libnshttpd.sl: None /var/opt/vaultTS/outside/nsbase/bin/https/libnshttpd.sl: None cksum(1) Output: 3876117090 450560 /var/opt/vaultTS/inside/nsbase/bin/https/ ns-httpd 3876117090 450560 /var/opt/vaultTS/outside/nsbase/bin/https/ ns-httpd 1303317155 860160 /var/opt/vaultTS/outside/nsbase/admserv/ ns-admin 2640356263 1197152 /var/opt/vaultTS/inside/nsbase/bin/https/ libnshttpd.sl 2640356263 1197152 /var/opt/vaultTS/outside/nsbase/bin/ https/libnshttpd.sl Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_15935 Equivalent Patches: None Patch Package Size: 4130 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_16186 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHSS_16186.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHSS_16186.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHSS_16186. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHSS_16186.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_16186.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: The patch installation replaces VirtualVault Inside and Outside Web servers, as well as the Outside Administration Server. These server processes may be stopped during patch installation, and the system will be rebooted upon patch installation completion.