Route via https assertion cannot pickup right cipher for SHA2 certificate


Article ID: 131490


Updated On:


CA Rapid App Security CA API Gateway


After import and trust the certificate from <url>, the Route via Https assertion has following error,
Problem routing to <url>. Error msg: Unable to obtain HTTP response from <url>: Server cert <CN> found but not trusted for SSL. Caused by: Server cert <CN> found but not trusted for SSL.


The SHA2 certificate requires matching cipher suites.
The Route via HTTPS assertion enable all available cipher suites by default, but fail to pick up the right cipher suite for the SHA2 certificate.


The imported certificate is SHA2 certificate, the key type: RSA, the signature algorithm: SHA256withRSA


For SHA256withRSA certificate, need to manually specify matching cipher suites in route via https assertion, for example, TLS_RSA_WITH_AES_256_CBC_SHA256

open property window of route via https assertion, on "Connection" tab, click "Cipher Suites" button -> click "Uncheck All" button -> find and select only one cipher "TLS_RSA_WITH_AES_256_CBC_SHA256" (using the filter to find the cipher) -> save the changes 

There should be other cipher suites that can work, the above just one of the matching cipher suites.


The above cipher is just an example, if the server doesn't support it, there will be an issue.

Run the curl command on gateway server to find out the server preferred cipher,

curl -kv https://<remotehost>:<port>


it should show something like,

* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256


Then the route assertion should select the above cipher.