Provide feedback on the IBM HTTP Server forum on IBM developerWorks.
Some clients, including some firmware levels or configurations of F5, are intolerant of the "Extended Premaster Secret" extension defined in RFC7627. The cliemt may close the connection immediately after the handshake completes. As a workaround, the following snippet can disable RFC7627 in the same context as SSLEnable:
SSLAttributeSet 4002 0
After PI73984, IHS does stricter checks on the format of the request line and HTTP headers. Some of the invalid data which has been caught are listed below:
Generally, webserver features that modify HTTP requests cannot repair the invalid data, because it is detected before they have a chance to run. The HTTPProtocolOptions directive relaxes some, but not all, of the new checks.
These problems are usually triggered by non-browser, custom HTTP clients that do not properly implement the HTTP protocol. mod_net_trace can be used to review the content of the HTTP request to find the problem.
IHS 8.5 on z/OS has a window where keepalive requests received while a process is shutting down may appear to hang. These are combinations where IHS is based on the event MPM. When a process is shutting down due to MaxSpareThreads, MaxRequestsPerChild, or a server-wide graceful restart, keepalive connections are not immediately closed. If a long-running requests delays the total exit of the process, and a client sends a request on an idle connection, it will appear to hang rather than getting a more immediate closure (as clients must be prepared for on any keepalive connection).
As a precaution, it's recommended to minimize child process exit during heavy load by configuring MaxSpareThreads as close as possible to MaxClients, keeping MaxRequestsPerChild at 0, and minimizing performing graceful restarts during high load.
APAR PI74119 drastically reduces the window.
See gather_highcpu_doc.html#GSKITICC_HIGHCPU
/usr/sbin/no -o tcptr_enable /usr/sbin/no -o tcp_rand_portThis is most likely to be a problem when the client connections are short-lived and come from only a handful of IP addresses.