CloudFans

TechTips: SPS and TLS/SSL protocole version

Blog Post created by CloudFans Employee on Dec 22, 2015

If you get this error:

"is not trusted or bad certificate" in SPS agent trace log, it might not be a certificate issue. It might be a protocol issue using SSLv3 which is disabled on the target backend web server.

 

Source from: https://wiki.openssl.org/index.php/SSL_and_TLS_Protocols

 

SSL stands for Secure Sockets Layer and was originally created by Netscape. SSLv2 and SSLv3 are the 2 versions of this protocol (SSLv1 was never publicly release). After SSLv3, SSL was renamed to TLS.

TLS stands for Transport Layer Security and started with TLSv1.0 which is an upgraded version of SSLv3.

The latest standard version is TLSv1.2 http://tools.ietf.org/html/rfc5246, while the upcoming TLS v1.3 is still draft.

Due to wellknown POODLE vulnerbility, SSLv3 is believed to be harmful.

It is recommended to run TLSv1.0, 1.1 or 1.2 and fully disable SSLv2 and SSLv3 that have protocol weaknesses.

 

CA SPS R12.52 SP1 supported TLSv1, using OpenSSL 0.9.8za.

https://support.ca.com/cadocs/0/CA%20SiteMinder%20Secure%20Proxy%20Server%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/2036912.html?zoom_highlight=tls

 

CA SPS R12.52 SP2 supported TLSv1, TLS v1.1, TlSv1.2, it is called CA Access Gateway (old name is SPS)

https://docops.ca.com/ca-single-sign-on-1252sp2/en/release-notes/ca-access-gateway-release-notes/changed-features-of-the-ca-access-gateway#ChangedFeaturesoftheCAAccessGateway-SSLv3RestrictedinApache,Tomcat,andHttpClient

 

----

SSLv3 Restricted in Apache, Tomcat, and HttpClient

 

 

CA Access Gatewayrestricts the use of SSLv3 in Apache, Tomcat, and HTTPClient to fix the SSL Poodle Attack issue. The following changes were done to fix the issue:

Apache: The httpd-ssl.conf file is restricted to support all the SSL protocols except SSLv2 and SSLv3.

Tomcat: The Tomcat configuration section of the server.conf file is restricted to support only the TLSv1, TLSv1.1, TLSv1.2 protocols using the sslEnabledProtocols parameter.

HttpClient: The sslparams section of the server.conf file is restricted to support only the specified versions of the TLSv1 protocol for communication between http-client and back-end web servers.

We recommend that you do not use SSLv3.

----

To understand the above documentation, we need to understand SPS's architecture as following:

SPS Apache -> SPS Tomcat Proxy-Engine Servlet -> WebAgent talking to Policy Server -> Proxy-Rules -> Noodle -> HttpClient -> Backend Web/App Server

 

--- Solution ---

Backend Server accept TLSv1.2 only, reject TLSv1.0

upgrade SPS to from SP1 to SP2, but SPS R12.52 SP2 official release date is not confirmed at the moment.

So this can't be a quick solution.

 

--- Workaround ---

Backend Server accept TLSv1.2, TLSv1.1 and TLSv1.0

No need to upgrade SPS, since SP1 already support TLSv1.0, more secured than SSLv3.0.

 

R12.52 SP1's Server.conf has sslparams, which controlling HttpClient connecting to Backend, it clear showed TLSv1 supported

 

<sslparams>

# Set the SSL protocol version to support:SSLv3, TLSv1

# NOTE: SSL version 2 is no longer supported

#versions="SSLv3" (old setting)

versions="TLSv1" (new setting)

Outcomes