Session invalidated : cipher TLS_DHE_RSA_WITH_AES_256_CBC

Session invalidated : cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Article Id: 5206

Status: Published

Updated On: 14-02-2018 08:11

Legacy Id: TEC1346294

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On

Issue/Introduction:

Running SPS, when contacting the backend server in SSL,
the connection cannot be done and the SPS reports error :

[28/Oct/2016:05:33:22-967] [INFO] - load(): Failed to add CipherSuite :
TLS_DHE_RSA_WITH_AES_256_CBC_SHA

[28/Oct/2016:05:40:21-840] [INFO] - ***Session invalidated:
[Session ID [
0000: 68 59 ed 7d 88 da c6 17 71 58 f5 f2 01 af 15 da [hY.}....qX......]
0010: a0 19 ab 80 7a 9f 68 c5 28 d5 c3 08 a0 57 56 d6 [....z.h.(....WV.]
], TLS_DHE_RSA_WITH_AES_256_CBC_SHA]
[28/Oct/2016:05:40:21-840] [INFO] - ***SEND Alert Fatal, Bad Certificate

Why is this happening and how can I resolve this ?

Cause:

The SPS reads the key type from the backend server certificate to dress a table of
supported ciphers. It then reads the fipscipher value from server.conf to keep
only the matching ones and put it to a list of cipher. SPS sends that list
to the backend server.
The backend server then chooses the first cipher from that list. In the use case it fails,
both SPS and backend server report an error. RSA support the problematic cipher,
but there's an issue with this one on both SPS and backend server.

Environment:

SPS 12.51CR08 on SunOS 5.10

Resolution:

Remove the cipher "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" from the fipscipher
list in the server.conf SPS configuration, or remove this cipher from the
Backend Server acceptable cipher list to resolve the issue.