Upgrade has detected an invalid and/or unsupported SSL protocol configuration
search cancel

Upgrade has detected an invalid and/or unsupported SSL protocol configuration

book

Article ID: 386466

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

We are attempting to upgrade CA Directory from 14.1 SP5 to 14.1 SP6. Recently, we successfully upgraded CA Directory from 14.1 SP2 to SP6 without encountering any issues. However, now we are facing the following issue while upgrading to 14.1 SP6:

============================= DXSERVER QUESTIONS ==============================

The upgrade has detected an invalid and/or unsupported SSL protocol configuration and cannot continue.
You must correct the SSL protocol configuration and then upgrade. Please contact CA Support for assistance.

Environment

CA Directory version lower than 14.1 SP6

Cause

In CA Directory 14.1 SP6, the minimum and the default protocol supported is TLS 1.2

Resolution

With the release of 14.1 SP6, a new validation for the SSL protocol has been introduced. Please refer to the following information regarding the upgrade process:

Upgrading

As stated in the Prerequisites section, in 14.1 SP5 and earlier versions, the default protocol was TLS, if not set. Whereas in 14.1 SP6, the minimum and the default protocol supported is TLS 1.2. Therefore, any DSA that is running with a protocol lower than TLS 1.2 must update the protocol to TLS 1.2 or higher before upgrading to 14.1 SP6, even if it is not explicitly set to TLS 1.2. Otherwise, the upgrade will fail.

The following SSL configuration in the DSAs must be amended first:

# ssl
set ssl = 
{
   cert-dir = "config/ssld/personalities"
   ca-file  = "config/ssld/trusted.pem"
   protocol = ssl
   fips     = false
};

In the above configuration, the protocol is set to ssl, which supports SSLv3, TLSv1, and TLSv1.2. Since the Directory is configured to support protocols lower than TLS 1.2, the upgrade is not supported as per the prerequisites.

To proceed, please change the protocol to tlsv12 as shown below:

# ssl
set ssl = 
{
   cert-dir = "config/ssld/personalities";
   ca-file  = "config/ssld/trusted.pem";
   protocol = tlsv12;
   fips     = false;
};

This change must be applied to all DSAs on the host.

Important: Before proceeding, ensure that tests are conducted to verify that clients and applications support TLS 1.2 and can connect to the Directory without issues.

Powered by Wolken Software