search cancel

The last update appears to have disabled TLS-1.0 and TLS-1.1

book

Article ID: 258117

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We applied an update and that appears to have stop support of TLS-1.0 and TLS-1.1.  We still need those for legacy app support.  We have enabled in the OS but now that doesn't work anymore.  We need help to find a solution. 

Environment

Release : 10.1

Resolution

How to re-enable deprecated TLS protocols - (NOT recommended)

Gateway 10.1 CR2 before changes:

# curl --verbose --tlsv1.0 https://<GatewayHostname>:9443/echo

* About to connect() to <GatewayHostname> port 9443 (#0)

*   Trying <IP_Address>...

* Connected to <GatewayHostname> (<IP_Address>) port 9443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_ALERT)

* Peer reports incompatible or unsupported protocol version.

* Closing connection 0

curl: (35) Peer reports incompatible or unsupported protocol version.

 

Workaround - not recommended gateway restart required (NOTE protocol needs to be check in the listening port 

 

Edit the file /opt/SecureSpan/Gateway/runtime/etc/ssg.security to customize java security

# more /opt/SecureSpan/Gateway/runtime/etc/ssg.security

# This file appends or override parts of the java.security file

#

# For Example to change security provider order,

# security.provider.1 = ABC

# security.provider.2 = XYZ

 

# For the Tomcat 9.0.x Upgrade feature

authconfigprovider.factory=org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl

 

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \

DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \

include jdk.disabled.namedCurves

 

After restart and enabling TLS 1.0 to listening port 9443  - no longer reporting protocol issue 

# curl --verbose --tlsv1.1 https://<GatewayHostname>:9443/echo

* About to connect() to <GatewayHostname> port 9443 (#0)

*   Trying <IP_Address>...

* Connected to <GatewayHostname> (<IP_Address>) port 9443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* Server certificate:

*       subject: CN=<GatewayHostname>

*       start date: Sep 15 19:59:45 2022 GMT

*       expire date: Sep 12 19:59:45 2032 GMT

*       common name: <GatewayHostname>

*       issuer: CN=<GatewayHostname>

* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)

* Issuer certificate is invalid.

* Closing connection 0