We applied an update and that appears to have stop support of TLS-1.0 and TLS-1.1. We still need those for legacy app support. We have enabled in the OS but now that doesn't work anymore. We need help to find a solution.
Release : 10.1
How to re-enable deprecated TLS protocols - (NOT recommended)
Gateway 10.1 CR2 before changes:
# curl --verbose --tlsv1.0 https://<GatewayHostname>:9443/echo
* About to connect() to <GatewayHostname> port 9443 (#0)
* Trying <IP_Address>...
* Connected to <GatewayHostname> (<IP_Address>) port 9443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_ALERT)
* Peer reports incompatible or unsupported protocol version.
* Closing connection 0
curl: (35) Peer reports incompatible or unsupported protocol version.
Workaround - not recommended gateway restart required (NOTE protocol needs to be check in the listening port
Edit the file /opt/SecureSpan/Gateway/runtime/etc/ssg.security to customize java security
# more /opt/SecureSpan/Gateway/runtime/etc/ssg.security
# This file appends or override parts of the java.security file
#
# For Example to change security provider order,
# security.provider.1 = ABC
# security.provider.2 = XYZ
# For the Tomcat 9.0.x Upgrade feature
authconfigprovider.factory=org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
After restart and enabling TLS 1.0 to listening port 9443 - no longer reporting protocol issue
# curl --verbose --tlsv1.1 https://<GatewayHostname>:9443/echo
* About to connect() to <GatewayHostname> port 9443 (#0)
* Trying <IP_Address>...
* Connected to <GatewayHostname> (<IP_Address>) port 9443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=<GatewayHostname>
* start date: Sep 15 19:59:45 2022 GMT
* expire date: Sep 12 19:59:45 2032 GMT
* common name: <GatewayHostname>
* issuer: CN=<GatewayHostname>
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0