TLS Version Issue
search cancel

TLS Version Issue

book

Article ID: 262295

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

This is going to be a quick one, 

We want to know if there is anyway to change TLS version for outbound connections on gateway level i.e by changing cluster wide properties or another way

We know that - we can enforce the TLS version that we want fto for outbound connections at Policy Level in HTTP routing assertion, we want to know if there is any setting we can add at gateway level to enforce particular TLS Version (for outbound)

 

Environment

Release : 10.0

Resolution

There is not a cluster wide property to control/set this for inbound request, however Gateway 10.1 disable weak protocols TLS 1.0 1.1 the latest ones 

This is controlled by the JDK java.security, changes to this file require a restart and may have unexpected issue  with other functionality of the gateway 

This is a Global effect inbound and outbound this file can disabled protocols /opt/SecureSpan/JDK/conf/security/java.security

The latest version disabled the following: (gateway 10.1/11.0)

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \

    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \

    include jdk.disabled.namedCurves

Looks for line 

Gateway 10.0 appliance /opt/JDK/jre/lib/security/java.security

LINE:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \

      DSA keySize < 1024, include jdk.disabled.namedCurves