Redhat reverse proxy unable to connect with layer7 API gateway

Document ID : KB000094885
Last Modified Date : 06/06/2018
Show Technical Document Details
Introduction:

Redhat apache used as a reverse proxy services were unable to connect to (older) APi Gateway 8.3 server using SSL.  A 502 error code is returned. 

The Apache reverse proxy is working in QA environment and selecting cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA

But not in the PROD environment it returns an error code : 

SSL Library Error: 336077172 error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small 
[Sun May 06 20:06:05 2018] [info] [client 10.167.12.145] Connection closed to child 0 with abortive shutdown (server www.example.com:443) 
[Sun May 06 20:06:05 2018] [error] (502)Unknown error 502: proxy: pass request body failed to XXX.XXX.XXX.XXX:9443 (www.example.com) 

 
Background:

 
Instructions:

Post openssl upgrade in proxies from 1.0.1e-42 to 1.0.1e-52, The new version 1.0.1e-52 ,no longer supports the DH keys having the key size less than 1024 bits due to the Logjam attack.

But API Gateway 8.3 is running with JDK 1.7 in which DH key size is hard coded as 768 bits for the non-export ciphers and hence proxy to gateway SSL handshake failed. This is the cause. 

The best solution is to upgrade to newer release of API Gateway 9.2/9.3 which run on JDK 1.8 and support different DH key sizes. 

 
Additional Information:

Notes1: 1Debugging the SSL Connection : 

openssl s_client -connect localhost:8443 

openssl s_client -connect localhost:8443 -cipher ECDHE-RSA-AES256-GCM-SHA384

User-added image

User-added image

User-added image


Notes 2: Changes in DH key size in JDK 1.8

The Gateway 8.3 is quite old, and runs with JDK 1.7. with JDK1.7 I know there were some limitations on TLSv1.2 & GSM cipher support until JDK1.8. And seems JDK1.7 also has some limitation on key sizes as well: 
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys legacy: The JSSE Oracle provider preserves the legacy behavior (for example, using ephemeral DH keys of sizes 512 bits and 768 bits) of JDK 7 and earlier releases. 

And more recently: 
https://docops.ca.com/ca-api-gateway/9-3/en/release-notes-9-3/resolved-issues#ResolvedIssues-IssuesResolvedinVersion9.3CR1 
Java 8 Update 161 now restricts Diffie-Hellman keys that are less than 1024 bits.