3DES cipher suites disabled on API Gateway 9.4 causes handshake error

book

Article ID: 142382

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

After upgrade from API gateway 9.3 to 9.4, outbound https connection fails with error:

Error msg: Unable to obtain HTTP response from <https URL>: Remote host closed connection during handshake. Caused by: SSL peer shut down incorrectly.

 

When test handshake with curl command,

curl -kv <https URL>

connection successful but using 3DES cipher.

 

Cause

From gateway 9.4, 3DES cipher suites are removed, as per the JDK upgrade,

https://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html#JDK-8175075

        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA

 

And the gateway will not provide any configuration to re-enable them for security concerns.

Environment

Release : 9.4

Component : API GTW ENTERPRISE MANAGER

Resolution

Upgrade/configure the remote host(backend server) to disable 3DES cipher suites and support stronger cipher suites.

Additional Information

https://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html#JDK-8175075