Session invalidated : cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Document ID : KB000005206
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Running SPS, when contacting the backend server in SSL,
the connection cannot be done and the SPS reports error :

  [28/Oct/2016:05:33:22-967] [INFO] - load(): Failed to add CipherSuite :
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  [28/Oct/2016:05:40:21-840] [INFO] - ***Session invalidated:
  [Session ID [
  0000: 68 59 ed 7d 88 da c6 17 71 58 f5 f2 01 af 15 da [hY.}....qX......]
  0010: a0 19 ab 80 7a 9f 68 c5 28 d5 c3 08 a0 57 56 d6 [....z.h.(....WV.]
  ], TLS_DHE_RSA_WITH_AES_256_CBC_SHA]
  [28/Oct/2016:05:40:21-840] [INFO] - ***SEND Alert Fatal, Bad Certificate

Why is this happening and how can I resolve this ?

Environment:
SPS 12.51CR08 on SunOS 5.10
Cause:

  The SPS reads the key type from the backend server certificate to dress a table of
  supported ciphers. It then reads the fipscipher value from server.conf to keep
  only the matching ones and put it to a list of cipher. SPS sends that list
  to the backend server.
  The backend server then chooses the first cipher from that list. In the use case it fails,
  both SPS and backend server report an error. RSA support the problematic cipher,
  but there's an issue with this one on both SPS and backend server.

Resolution:

  Remove the cipher "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" from the fipscipher
  list in the server.conf SPS configuration, or remove this cipher from the
  Backend Server acceptable cipher list to resolve the issue.