search cancel

DH ServerKeyExchange does not comply to algorithm constraints

book

Article ID: 216804

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Executing the Route Via Https assertion fails with the following kind of error:

Problem routing to https://xxxxx. Error msg: Unable to obtain HTTP response from https://xxxxx: DH ServerKeyExchange does not comply to algorithm constraints

Environment

Gateway 9.x, 10.x

Cause

Later versions of java are more stringent in regards to weaker cryptographic algorithms being used.  If the backend host the gateway is trying to establish a connection with only supports weak ciphers then that can result in the error in question being generated.

Resolution

Make the appropriate changes on the backed such that it supports stronger ciphers to be used.

If that is not possible at the present time then the following changes can be made to work around the situation:

 

Modify the following file on each gateway server:

/opt/SecureSpan/JDK/jre/lib/security/java.security

Change the DH keySize value from 1024 to 768

Original Setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC

Modified Setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 768, \
    EC keySize < 224, 3DES_EDE_CBC

 

Restart the gateway service for the change to take effect.