Why does Spectrum 10.3 with OneClick SSL not work with Modsecurity

Document ID : KB000119974
Last Modified Date : 06/11/2018
Show Technical Document Details
Question:
Why does Spectrum 10.3 with OneClick enabled SSL does not work with Modsecurity?
The error message seen is
" Proxy Error:
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /spectrum/index.jsp.
Reason: Error reading from remote server".
Environment:
Spectrum 10.3
OneClick with SSL enabled
Red Hat Linux
Answer:
The reason is that in OneClick for Spectrum 10.3 we support only TLS 1.2 as the SSLEnabledProtocols.
However, the Apache server in Modsecurity that is shipped with 10.3 ( 2.4.12 ) only support TLS 1.0 and TLS 1.1.
Please request package apache2.4.35.tar from CA Support, make a backup copy of the existing Apache folder and then uncompress and copy the attachment on the $SPECROOT directory.
Please then to make sure to change ownership as it is set by default to spectrum  spectrum.
Then follow the implementation instructions for Spectrum 10.3 to enable ModSecurity.
This is scheduled to be resolved out of box in Spectrum 10.3.1.
Additional Information:
Documentation to enable ModSecurity

https://docops.ca.com/ca-spectrum/10-3-0/en/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/enable-modsecurity-web-application-firewall/