Layer7 API Management

  • Private Community
 View Only

  • 1.  SSL/TLS issues after 11.2.1 upgrade

    Posted Mar 02, 2026 10:18 AM

    Hi,

    We have appliance gateways on version 11.2 that exposes a default SSL key certificate on port 8443 (PKI signed with RSA 2,048 bits)

    The gateway listen port 8443 is enabled for TLS 1.0, 1.1 and 1.2. (not 1.3) 

    After applying the new gateway patch for 11.2.1, we can no longer connect via https on port 8443.
    Seems that there is something with the cipher that is missing.

    On 11.2.1 (not working):
    openssl s_client -connect 127.0.0.1:8443 -tls1_2 -showcerts 2>&1 | grep -E 'Certificate|Cipher|Protocol|alert|error'
    40F7A9B9F67F0000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:../ssl/record/rec_layer_s3.c:916:SSL alert number 40
    New, (NONE), Cipher is (NONE)
    Protocol: TLSv1.2
        Protocol  : TLSv1.2
        Cipher    : 0000

    On 11.2 (working fine)
    openssl s_client -connect 127.0.0.1:8443 -tls1_2 -showcerts 2>&1 | grep -E 'Certificate|Cipher|Protocol|alert|error'
    Certificate chain
    Client Certificate Types: ECDSA sign, RSA sign, DSA sign
    New, SSLv3, Cipher is AES256-SHA
    Protocol: TLSv1.2
        Protocol  : TLSv1.2
        Cipher    : AES256-SHA

    Have anyone experienced similar issues?

    BR,

    Tony



    -------------------------------------------


  • 2.  RE: SSL/TLS issues after 11.2.1 upgrade

    Broadcom Employee
    Posted Mar 02, 2026 11:23 AM

    Hello Tony,

    Please open a support case, so we can take a look.

    Thanks,



    ------------------------------
    Ben Urbanski
    Product Manager, API Gateway
    Layer7 API Management
    ------------------------------

    Original Message


  • 3.  RE: SSL/TLS issues after 11.2.1 upgrade

    Posted Mar 03, 2026 09:03 AM

    Hi Ben,
    We found the issue to be in java 21 security update between 21.0.9 and 21.0.10.

    We have pretty old certificates created with private key of type RSA, 2 048.
    The TLS_RSA_* cipher suites became disabled by default in the Java 21.0.10 security update.

    In that update,  "TLS_RSA_*"  was added to the  jdk.tls.disabledAlgorithms  property in  java.security, which causes all TLS_RSA_* suites to be rejected during handshakes by default.  

    Changes in
    /opt/SecureSpan/JDK/conf/security/java.security

    before update:

    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
        MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        ECDH


    after update:

    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
        MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, \
        ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature

    Practically, this means the change took effect when we upgraded from Gateway version 11.2.0, that used Java 21.0.9 (that allowed the TLS_RSA_* suites) to version 11.2.1, that is using Java 21.0.10, disallowing the same.

    Problem was solved short-term by allowing that suite again in java.security, and long term by generating new keys/certs with EC signatures.

    /T;

    -------------------------------------------

    Original Message