When connecting to a backend server attempting to forward a transaction from the Layer 7 Gateway, we get the following error:
Problem routing to https://<HOSTNAME>/. Error msg: Unable to obtain HTTP response from https://<HOSTNAME>: Fatal Alert received: Handshake Failure.
All supported versions of the API Gateway
Through a tcpdump, it was observed that the handshake failure was coming after a Client Hello to the server. Checking the allowed ciphers on the backend server and comparing them to the ciphers in Policy Manager, it was determine that there was a mismatch.
Change the cipher suites on the backend server to match the ones configured in the Policy Manager.
Cipher suites are configured in Policy Manager under Manage Listen Ports -> Properties -> SSL/TLS Settings
The Client Hello command lets the server know the following:
Here is a Linux test script that can be run to test the cipher suites being used by a server:
#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=SERVER_IP:443
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if error:" ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if | "$result" =~ "Cipher :" ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done