Route via HTTP(S) assertion fails when routing to HTTPS endpoint
search cancel

Route via HTTP(S) assertion fails when routing to HTTPS endpoint

book

Article ID: 42920

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

This is a known defect in a the SSL/TLS provider dependency package specific to version 6.2 of the Layer 7 Gateway. This issue occurs when the endpoint does not terminate an SSL/TLS connection in a manner expected by the Gateway's SSL/TLS provider. This issue has most frequently been associated with endpoints using Microsoft IIS but is not limited to that platform.

Presentation

The following error message may be present in the Gateway log files:

WARNING 409 com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion: 4042: Problem routing to https://server.domain.com/service. Error msg: Unable to obtain HTTP response from https://server.domain.com/service: Inbound closed before receiving peer's close_notify: possible truncation attack??

Resolution

Version 6.2 and prior

The Gateway will need to be reconfigured to use an alternate SSL/TLS provider installed on the Gateway. To use the alternate SSL/TLS provider, please add the following configuration line item to /opt/SecureSpan/Gateway/node/default/etc/conf.system.properties and restart the Gateway appliance:
com.l7tech.security.tlsProvider=SunJSSE

Version 7.0 and later

The Gateway will need to be instructed to explicitly ignore this error. Add the following cluster-wide property and restart the Gateway service on all nodes in the cluster to configure the Gateway to ignore this behavior:
io.https.response.truncationProtection.disable=TRUE

Impact

This should not cause an issue with other published services, but it may impact the preference of cipher suites and other subtle items of the handshake. Please ensure that this change is tested sufficiently in a lower, non-production environment before implementation in order to confirm interoperation with existing implementations.

If this reconfiguration causes complications with other services then the change can be overridden by removing the property and restarting the Gateway appliance. If a circumstance occurs where you can work around the issue in one service but it breaks others, then the Gateway will need to be upgraded to version 7.0 or later to resolve both problems.

Environment

Release:
Component: APIGTW

Cause

.

Resolution

.

Powered by Wolken Software