You are here

Communication error when using SSL to Back-end systems

Affects version(s): 
4.2.5
4.2.6

This article is obsolete if you have installed the "Heartbleed" hotfix (4.2.6: HF4220 / 5.0: HF5001), because the problems described in this article have been resolved in OpenSSL 1.0.1g.

With Airlock 4.2.5, the behavior of back-end SSL connections changed due to an upgrade of the openssl and libcurl versions. In a few cases, it is possible that no SSL connection can be established, resulting in communication errors similar to this:
Web-Requests Usage [ID 748625 user.warning] m:WR-SG-BACK-502 Communication error (35: SSL connect error; error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) (errno:0: Error 0) during backend request ... To solve this problem, introduce the following line in the Airlock Configuration Center - Expert Settings - Security Gate:SecurityGateway * BackendSSLVersion           "SSLv3"

Behavior Airlock 4.2.4 vs. 4.2.5

Airlock 4.2.4 uses OpenSSL 1.0.0e and libcurl 7.22.0
By default, the SSL handshake tries to establish the connection with TLSv1.0, then SSLv3. If it is not possible to establish a connection with one of these two SSL protocols, then an error occurs.

Airlock 4.2.5 uses OpenSSL 1.0.1 / libcurl 7.24.0
By default the SSL handshake tries to establish the SSL connection in this sequence: TLSv1.2 > TLSv1.1 > TLSv1.0 > SSLv3. If it is not possible to establish a connection with one of these SSL protocols, an error occurs (see example above).

Known incompatibility

When using SSL between Airlock 4.2.4 and e.g. F5 BigIP systems versions < 11.x, there is an SSL resumption (SSL resume) misconduct. When using Airlock 4.2.5 instead of Airlock 4.2.4, it is not even possible to establish an SSL connection, resulting in the communication error above.

Known systems with possible incompatibility are BEA Web Logic, RSA and F5 BIG-IP (version < 11.x).
It is possible that the same problem occurs when other back-end sytems are used for SSL termination.

New settings in Airlock 4.2.5

New SSL settings were introduced with Airlock 4.2.5, to handle this issue. The settings are described below:

This setting explicitly sets the SSL version which should be used. Default value is "DEFAULT". For the behavior in this case see above. Other possible settings are: "SSLv2", "SSLv3" and "TLSv1"

SecurityGateway * BackendSSLVersion           "DEFAULT"

The following setting can be used to specify the back-end SSL cipher list, e.g. "ALL:!aNULL:!eNULL". See also http://www.openssl.org/docs/apps/ciphers.html. Default value is "DEFAULT". Other possible settings are e.g.  "SSLv2", "SSLv3" or "TLSv1".

SecurityGateway * BackendSSLCipherSuite       "DEFAULT"

Following setting controls whether back-end SSL sessions shall be resumed or not. Default is "FALSE" which means that SSL session resume is enabled.

SecurityGateway * BackendSSLForceNewSession   "FALSE"Following settings are also avaliable for specific back-end groups:

SecurityGateway * BackendGroup.[backendGroup].BackendSSLVersion
SecurityGateway * BackendGroup.[backendGroup].BackendSSLCipherSuite
SecurityGateway * BackendGroup.[backendGroup].BackendSSLForceNewSession

Knowledge Base Categories: