Route via HTTP(S) assertion fails when routing to HTTPS endpoint
search cancel

Route via HTTP(S) assertion fails when routing to HTTPS endpoint


Article ID: 42920


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway




This is a known defect in a the SSL/TLS provider dependency package specific to version 6.2 of the Layer 7 Gateway. This issue occurs when the endpoint does not terminate an SSL/TLS connection in a manner expected by the Gateway's SSL/TLS provider. This issue has most frequently been associated with endpoints using Microsoft IIS but is not limited to that platform.


The following error message may be present in the Gateway log files:

WARNING 409 com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion: 4042: Problem routing to Error msg: Unable to obtain HTTP response from Inbound closed before receiving peer's close_notify: possible truncation attack??


Version 6.2 and prior

The Gateway will need to be reconfigured to use an alternate SSL/TLS provider installed on the Gateway. To use the alternate SSL/TLS provider, please add the following configuration line item to /opt/SecureSpan/Gateway/node/default/etc/ and restart the Gateway appliance:

Version 7.0 and later

The Gateway will need to be instructed to explicitly ignore this error. Add the following cluster-wide property and restart the Gateway service on all nodes in the cluster to configure the Gateway to ignore this behavior:


This should not cause an issue with other published services, but it may impact the preference of cipher suites and other subtle items of the handshake. Please ensure that this change is tested sufficiently in a lower, non-production environment before implementation in order to confirm interoperation with existing implementations.

If this reconfiguration causes complications with other services then the change can be overridden by removing the property and restarting the Gateway appliance. If a circumstance occurs where you can work around the issue in one service but it breaks others, then the Gateway will need to be upgraded to version 7.0 or later to resolve both problems.


Component: APIGTW