Session invalidated : cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA

book

Article ID: 5206

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Running SPS, when contacting the backend server in SSL,
the connection cannot be done and the SPS reports error :

  [28/Oct/2016:05:33:22-967] [INFO] - load(): Failed to add CipherSuite :
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  [28/Oct/2016:05:40:21-840] [INFO] - ***Session invalidated:
  [Session ID [
  0000: 68 59 ed 7d 88 da c6 17 71 58 f5 f2 01 af 15 da [hY.}....qX......]
  0010: a0 19 ab 80 7a 9f 68 c5 28 d5 c3 08 a0 57 56 d6 [....z.h.(....WV.]
  ], TLS_DHE_RSA_WITH_AES_256_CBC_SHA]
  [28/Oct/2016:05:40:21-840] [INFO] - ***SEND Alert Fatal, Bad Certificate

Why is this happening and how can I resolve this ?

Cause

  The SPS reads the key type from the backend server certificate to dress a table of
  supported ciphers. It then reads the fipscipher value from server.conf to keep
  only the matching ones and put it to a list of cipher. SPS sends that list
  to the backend server.
  The backend server then chooses the first cipher from that list. In the use case it fails,
  both SPS and backend server report an error. RSA support the problematic cipher,
  but there's an issue with this one on both SPS and backend server.

Environment

SPS 12.51CR08 on SunOS 5.10

Resolution

  Remove the cipher "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" from the fipscipher
  list in the server.conf SPS configuration, or remove this cipher from the
  Backend Server acceptable cipher list to resolve the issue.