Layer7 API Gateway: Unable to create or manage listen ports


Article ID: 126731


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


After upgrading to Gateway 9.4 and above the below error is seen when trying to create or modify a listen port.

The server private key uses RSA crypto, but at least one TLS_ECDH_ECDSA/TLS_ECDHE_ECDSA/TLS_ECDH_RSA cipher suite is enabled.



Release: 9.4 and above
Component: Gateway


This occurs because you are using an RSA private key with elliptic curve ciphers. 

When a RSA key is chosen, the following cipher suite combo -TLS_ECDH_ECDSA/TLS_ECDHE_ECDSA/TLS_ECDH_RSA are not supported by a RSA key which results in this error.

To fix this you would need to deselect all elliptic curve ciphers. As they will not even be negotiated on the handshake this should not have any negative impact. 


Additional Information

Note: This can happen even if you are not explicitly changing any ciphers on the listen port. Any modification to a listen port properties will enforce this check

Details about changing the cipher suits can be found here: