Redhat apache used as a reverse proxy services were unable to connect to (older) APi Gateway 8.3 server using SSL. A 502 error code is returned.
The Apache reverse proxy is working in QA environment and selecting cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA
But not in the PROD environment it returns an error code :
SSL Library Error: 336077172 error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
[Sun May 06 20:06:05 2018] [info] [client 10.167.12.145] Connection closed to child 0 with abortive shutdown (server www.example.com:443)
[Sun May 06 20:06:05 2018] [error] (502)Unknown error 502: proxy: pass request body failed to XXX.XXX.XXX.XXX:9443 (www.example.com)
Post openssl upgrade in proxies from 1.0.1e-42 to 1.0.1e-52, The new version 1.0.1e-52 ,no longer supports the DH keys having the key size less than 1024 bits due to the Logjam attack.
But API Gateway 8.3 is running with JDK 1.7 in which DH key size is hard coded as 768 bits for the non-export ciphers and hence proxy to gateway SSL handshake failed. This is the cause.
The best solution is to upgrade to newer release of API Gateway 9.2/9.3 which run on JDK 1.8 and support different DH key sizes.