Running SPS, when contacting the backend server in SSL,
the connection cannot be done and the SPS reports error :
[28/Oct/2016:05:33:22-967] [INFO] - load(): Failed to add CipherSuite :
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
[28/Oct/2016:05:40:21-840] [INFO] - ***Session invalidated:
[Session ID [
0000: 68 59 ed 7d 88 da c6 17 71 58 f5 f2 01 af 15 da [hY.}....qX......]
0010: a0 19 ab 80 7a 9f 68 c5 28 d5 c3 08 a0 57 56 d6 [....z.h.(....WV.]
], TLS_DHE_RSA_WITH_AES_256_CBC_SHA]
[28/Oct/2016:05:40:21-840] [INFO] - ***SEND Alert Fatal, Bad Certificate
Why is this happening and how can I resolve this ?
The SPS reads the key type from the backend server certificate to dress a table of
supported ciphers. It then reads the fipscipher value from server.conf to keep
only the matching ones and put it to a list of cipher. SPS sends that list
to the backend server.
The backend server then chooses the first cipher from that list. In the use case it fails,
both SPS and backend server report an error. RSA support the problematic cipher,
but there's an issue with this one on both SPS and backend server.
Remove the cipher "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" from the fipscipher
list in the server.conf SPS configuration, or remove this cipher from the
Backend Server acceptable cipher list to resolve the issue.