Intermittent SSL Errors after upgrading to 12.7.sp1

Document ID : KB000072389
Last Modified Date : 02/03/2018
Show Technical Document Details
Issue:

CA Access Gateway 12.7 SP1 Generates SSL Errors under Load. 
Where individual requests process normally. 

While Troubleshooting this issue on Red Hat, you can use the following command to replicate load. 
ab -n 100 -c 10 -f TLS1.2 https://mysever.mydomain.com/

With CA Access Gateway 12.7 SP1, you might see the following errors in the command. 
-ERRORS-- 
140446470321952:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 
140446470321952:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:797: 
140446470321952:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1837: 
SSL handshake failed (1). 

--Stats-(Trimmed)-- 
Server Software: Apache/2.4.27 
Server Hostname: mysever.mydomain.com
Server Port: 443 
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128 
Document Path: / 
Document Length: 0 bytes 
Concurrency Level: 10 
Time taken for tests: 7.536 seconds 
Complete requests: 100 
Failed requests: 74 

Changing the command to generate one request results in no errors. 
ab -n 1 -c 1 -f TLS1.2 https://mysever.mydomain.com/

NOTE: Please see Apache's Documentation for more information regarding the use of 'ab'.
ab - Apache HTTP Server Benchmarking Tool - https://httpd.apache.org/docs/2.4/programs/ab.html

Environment:

CA Access Gateway 12.7 SP1

Red Hat OS 6 and 7
Windows OS 2012 R2 

Resolution:
Upgrading to CA Access Gateway 12.7 SP2 Resolves this issue. 


 
Additional Information:
As of 03/02/2018 the Release notes have been updated to document the upgrade of Apache HTTP Server 2.4.29.
https://docops.ca.com/ca-single-sign-on/12-7/en/release-notes/service-packs/defects-fixed-in-12-7-02#DefectsFixedin12.7.02-smsps