search cancel

TLS1.3 failing on listen port

book

Article ID: 242557

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

10.0 CR 4 software gateway 

Enabling TLS 1.3 via PM on listen ports does not appear to function properly.

If TLS1.2 is also enabled, clients connect with 1.2.  If only TLS1.3 is enabled, clients fail to connect and also VIP (F5) probes fail.  

Tested with multiple 1.3 compatible browsers.  

 

Environment

Release : 10.0

Component : API GATEWAY

Resolution

Ensure that the following cipher suites are enabled when TLS 1.3 option is selected:

  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256

TLS 1.3 was added in CR3 for gateway 10, this is why the documents note to enable the two ciphers.  New features are not added to existing object, if you were to create a new listening port for SSL these would be enabled 

Moving forward gateway 10.1 the default configuration of the ports and new ports created for SSL has 1.2 and 1.3 checked and all the ciphers enabled