Right format for specifying Ciphers in server.conf for CA Access Gateway (formerly Secure Proxy Server)

Document ID : KB000047341
Last Modified Date : 14/02/2018
Show Technical Document Details

 

If you are adding ciphers to server.conf and you see errors such as the following in the server.log when loading the ciphersuite : 

 

    [20/Sep/2016:18:24:10-824] [INFO] - load(): Added CipherSuite : DHE_DSS_With_3DES_EDE_CBC_SHA 

    [20/Sep/2016:18:24:10-825] [INFO] - load(): Added CipherSuite : DHE_RSA_With_3DES_EDE_CBC_SHA 

    [20/Sep/2016:18:24:10-825] [INFO] - load(): Added CipherSuite : RSA_With_3DES_EDE_CBC_SHA 

    [20/Sep/2016:18:24:10-826] [INFO] - load(): Added CipherSuite : DH_DSS_With_3DES_EDE_CBC_SHA 

    [20/Sep/2016:18:24:10-827] [INFO] - load(): Failed to add CipherSuite : TLS_RSA_WITH_AES_128_CBC_SHA 

    [20/Sep/2016:18:24:10-827] [INFO] - load(): Failed to add CipherSuite : TLS_DHE_RSA_WITH_AES_128_CBC_SHA 

    [20/Sep/2016:18:24:10-828] [INFO] - load(): Failed to add CipherSuite : TLS_DHE_DSS_WITH_AES_128_CBC_SHA 

    [20/Sep/2016:18:24:10-829] [INFO] - load(): Failed to add CipherSuite : TLS_RSA WITH_AES_128_CBC_SHA256

 

Then the problem may be the format you are using for the cipher. 

In the above the formats of the CipherSuite is not correct for java format : 

         TLS_DHE_DSS_WITH_AES_128_CBC_SHA 

    should be in format : 

          DHE_DSS_With_AES_128_CBC_SHA 

 

These extra algorithms were from the OpenSSL format for the Cipher not the format that Java uses.  Once the formatwas changed the to the Java format they were loaded correctly. 

 

And so the actual error message did make sense, the JVM was unable to find the CipherSuite :  TLS_DHE_DSS_WITH_AES_128_CBC_SHA

 

The Ciphers are specified in the SPS file proxy-engine/conf/server.conf , in the following parameters : 

ciphers="-RSA_With_Null_SHA,+RSA_With_Null_MD5,-RSA_With_RC4_SHA,+RSA_With_RC4_MD5,+RSA_With_DES_CBC_SHA,+RSA_Export_With_RC4_40_MD5,-RSA_Export_With_DES_40_CBC_SHA,+RSA_Export_With_RC2_40_CBC_MD5,-DH_RSA_With_DES_CBC_SHA,-DH_RSA_With_3DES_EDE_CBC_SHA,-DH_RSA_Export_With_DES_40_CBC_SHA,-DH_DSS_With_DES_CBC_SHA,-DH_DSS_Export_With_DES_40_CBC_SHA,-DH_Anon_With_RC4_MD5,-DH_Anon_With_DES_CBC_SHA,-DH_Anon_With_3DES_EDE_CBC_SHA,-DH_Anon_Export_With_DES_40_CBC_SHA,-DH_Anon_Export_With_RC4_40_MD5,-DHE_RSA_With_DES_CBC_SHA,-DHE_RSA_Export_With_DES_40_CBC_SHA,-DHE_DSS_With_DES_CBC_SHA,-DHE_DSS_Export_With_DES_40_CBC_SHA"

 

fipsciphers="+DHE_DSS_With_AES_256_CBC_SHA, +DHE_RSA_With_AES_256_CBC_SHA, +RSA_With_AES_256_CBC_SHA, +DH_DSS_With_AES_256_CBC_SHA, +DH_RSA_With_AES_256_CBC_SHA, +DHE_DSS_With_AES_128_CBC_SHA, +DHE_RSA_With_AES_128_CBC_SHA, +RSA_With_AES_128_CBC_SHA, +DH_DSS_With_AES_128_CBC_SHA, +DH_RSA_With_AES_128_CBC_SHA, +DHE_DSS_With_3DES_EDE_CBC_SHA, +DHE_RSA_With_3DES_EDE_CBC_SHA, +RSA_With_3DES_EDE_CBC_SHA, +DH_DSS_With_3DES_EDE_CBC_SHA"

 

 

When FIPS mode is specified, only ciphers listed in "fipsciphers" are used, and when NON-FIPS is used, then ciphers from both "ciphers" and "fipsciphers" are allowed. 

The entries are a pattern match, a "+XXX" mean the pattern is allowed, and a "-XXX" entry means the pattern is not allowed.