Environment
NetIQ Access Manager 4.1
Access Manager 4.0.1 upgraded to Access Manager 4.1.1
Cloud Manager 2.3 upgraded to Cloud Manager 2.4
Access Manager 4.0.1 upgraded to Access Manager 4.1.1
Cloud Manager 2.3 upgraded to Cloud Manager 2.4
Situation
Access Manager setup with Access Gateway accelerating the Cloud Manager servers. Everything has been working fine for a year, when it was decided to upgrade both the Access Manager and Cloud Manager servers. As soon as this happens, users get the following error accessing the service:
Server Error!
Error message: The proxy could not handle the request GET /.
Reason: Error during SSL handshake with remote server
All other back end servers (HTTP and HTTPS) worked fine.
Enabling debug logging on the Apache proxy showed the following details:
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv3 read server hello A
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1333): Certificate Verification: depth: 2, subject: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048), issuer: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1333): Certificate Verification: depth: 1, subject: /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C, issuer: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1333): Certificate Verification: depth: 0, subject: /C=IE/L=Dublin/O=Novell Inc/CN=*.novell.com, issuer: /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv3 read server certificate A
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv3 read server key exchange B
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv3 read server key exchange B
Nov 19 16:09:13 mysso httpd[8744]: [info] SSL Proxy connect failed
Nov 19 16:09:13 mysso httpd[8744]: [info] SSL Library Error: 269148289 error:100AE081:elliptic curveroutines:EC_GROUP_new_by_curve_name:unknown group
Nov 19 16:09:13 mysso httpd[8744]: [info] SSL Library Error: 336121872 error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib
Nov 19 16:09:13 mysso httpd[8744]: [info] Connection closed to child 0 with abortive shutdown (server mycloud.novell.com:443)
Nov 19 16:09:13 mysso httpd[8744]: [error] (502)Unknown error 502: proxy: pass request body failed to 101.99.1.66:8183 (101.99.1.66)
Nov 19 16:09:13 mysso httpd[8744]: [error] AMEVENTID#1678: proxy: Error during SSL Handshake with remote server returned by /, referer: https://mysso.novell.com/nidp/idff/sso?sid=0&sid=0
Nov 19 16:09:13 mysso httpd[8744]: [error] AMEVENTID#1678: proxy: pass request body failed to 101.99.1.66:8183 (101.99.1.66) from 101.99.1.64 (), referer: https://mysso.novell.com/nidp/idff/sso?sid=0&sid=0
Nov 19 16:09:13 mysso httpd[8744]: [debug] proxy_util.c(2066): proxy: HTTPS: has released connection for (101.99.1.66)
The failure appears to be with the Eliptical curve ciphers that the server hello SSL response includes.
Server Error!
Error message: The proxy could not handle the request GET /.
Reason: Error during SSL handshake with remote server
All other back end servers (HTTP and HTTPS) worked fine.
Enabling debug logging on the Apache proxy showed the following details:
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv3 read server hello A
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1333): Certificate Verification: depth: 2, subject: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048), issuer: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1333): Certificate Verification: depth: 1, subject: /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C, issuer: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1333): Certificate Verification: depth: 0, subject: /C=IE/L=Dublin/O=Novell Inc/CN=*.novell.com, issuer: /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv3 read server certificate A
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv3 read server key exchange B
Nov 19 16:09:13 mysso httpd[8744]: [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv3 read server key exchange B
Nov 19 16:09:13 mysso httpd[8744]: [info] SSL Proxy connect failed
Nov 19 16:09:13 mysso httpd[8744]: [info] SSL Library Error: 269148289 error:100AE081:elliptic curveroutines:EC_GROUP_new_by_curve_name:unknown group
Nov 19 16:09:13 mysso httpd[8744]: [info] SSL Library Error: 336121872 error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib
Nov 19 16:09:13 mysso httpd[8744]: [info] Connection closed to child 0 with abortive shutdown (server mycloud.novell.com:443)
Nov 19 16:09:13 mysso httpd[8744]: [error] (502)Unknown error 502: proxy: pass request body failed to 101.99.1.66:8183 (101.99.1.66)
Nov 19 16:09:13 mysso httpd[8744]: [error] AMEVENTID#1678: proxy: Error during SSL Handshake with remote server returned by /, referer: https://mysso.novell.com/nidp/idff/sso?sid=0&sid=0
Nov 19 16:09:13 mysso httpd[8744]: [error] AMEVENTID#1678: proxy: pass request body failed to 101.99.1.66:8183 (101.99.1.66) from 101.99.1.64 (), referer: https://mysso.novell.com/nidp/idff/sso?sid=0&sid=0
Nov 19 16:09:13 mysso httpd[8744]: [debug] proxy_util.c(2066): proxy: HTTPS: has released connection for (101.99.1.66)
The failure appears to be with the Eliptical curve ciphers that the server hello SSL response includes.
Resolution
The issue is fixed now with removing the Eliptical curve cipher support from SSLProxyCipherSuite (handles ciphers from AG to Web server).