Route via https assertion cannot pickup right cipher for SHA2 certificate

book

Article ID: 131490

calendar_today

Updated On:

Products

CA Rapid App Security CA API Gateway

Issue/Introduction

After import and trust the certificate from <url>, the Route via Https assertion has following error,
Problem routing to <url>. Error msg: Unable to obtain HTTP response from <url>: java.security.cert.CertificateException: Server cert <CN> found but not trusted for SSL. Caused by: Server cert <CN> found but not trusted for SSL.

Cause

The SHA2 certificate requires matching cipher suites.
The Route via HTTPS assertion enable all available cipher suites by default, but fail to pick up the right cipher suite for the SHA2 certificate.

Environment

The imported certificate is SHA2 certificate, the key type: RSA, the signature algorithm: SHA256withRSA

Resolution

For SHA256withRSA certificate, need to manually specify matching cipher suites in route via https assertion, for example, TLS_RSA_WITH_AES_256_CBC_SHA256

open property window of route via https assertion, on "Connection" tab, click "Cipher Suites" button -> click "Uncheck All" button -> find and select only one cipher "TLS_RSA_WITH_AES_256_CBC_SHA256" (using the filter to find the cipher) -> save the changes 

There should be other cipher suites that can work, the above just one of the matching cipher suites.

 

The above cipher is just an example, if the server doesn't support it, there will be an issue.

Run the curl command on gateway server to find out the server preferred cipher,

curl -kv https://<remotehost>:<port>

 

it should show something like,

* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

 

Then the route assertion should select the above cipher.