Apache mod_ssl SSLProxyCipherSuite directive does not get applied to NetIQ Access Gateway proxy service

  • 7018372
  • 08-Dec-2016
  • 08-Dec-2016

Environment

NetIQ Access Manager 4.2 SP2
NetIQ Access Manager 4.3

Situation

  • Communication between the NetIQ Access Gateway and a protected web server has been configured to use SSL

  • SSL connection fails and reports a HTTP 502 Bad Gateway error message back to the browser client while trying to connect

  • Running the Access Gateway proxy in debug mode the following error message has been reported:
    "SSL Library Error: 336077172 error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small"

  • The workaround setting the "SSLProxyCipherSuite" Directive from within the proxy service Advanced Options does not get applied. Reviewing the handshake the Proxy still offers DH cipher suites while sending the SSL Client Hello

Resolution

  • On the Reverse Proxy "TCP Listen Options" enable the "Enforce 128-Bit Encryption between Access Gateway and Web Server". Any "SSLProxyCipherSuite" will be discarded until this options has been enabled.