TLS 1.2 RSA+SHA1 Signature Algorithm deprecation RFC-9155
search cancel

TLS 1.2 RSA+SHA1 Signature Algorithm deprecation RFC-9155

book

Article ID: 380687

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Using penetration testing of our services protected by the Broadcom Layer 7 API Gateway, a potential vulnerability is exposed.

The API Gateway seems to still support the use of RSA-SHA1 in the TLS1.2 handshake messages that has been deprecated by RFC-9155 (RFC 9155 - Deprecating MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2 (ietf.org)). 

We would like to disable the offered RSA-SHA1 Signature Algorithm on the API Gateway side, effectively complying to RFC-9155.

Can this be done and how?

Environment

Gateway 11.x 

Cause

The java runtime is still offering the deprecated algorithm during the TLS 1.2 handshake  for backward compatibility , API gateway does not accept the connection when trying to use it.

See openssl response below .

openssl s_client -connect xxx.xxx.xxx.xxx:8443 -sigalgs "RSA+SHA1" -tls1_2
CONNECTED(00000003)
406C76CC787F0000:error:0A0000B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:../ssl/statem/statem_clnt.c:3746:No ciphers enabled for max supported SSL/TLS version

Resolution

To prevent the JAVA runtime to offer the depreciated algorithm you can either :

 Modifying "/opt/SecureSpan/Gateway/runtime/etc/profile.d/ssgruntimedefs.sh" and adding the following lines:

default_java_opts="$default_java_opts -Djdk.tls.server.SignatureSchemes=rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384"

default_java_opts="$default_java_opts -Djavax.net.ssl.SSLParameters.setSignatureSchemes=rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384"

Or 

you can override java.security by adding  the following line to /opt/SecureSpan/Gateway/runtime/etc/ssg.security. 

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, SHA1, NULL

Restart the Gateway