Troubleshooting
Problem
With firmware version 4.0.0, the default behavior has changed to reject when the DataPower appliance acts as the SSL client connecting to an insecure server. An insecure server is a server that does not support RFC 5746. You can allow connections to insecure servers with a new option in the SSL Proxy Profile.
Symptom
Starting with DataPower firmware 4.0.0, connections to servers which do not support RFC 5746 are rejected.
The log shows the following error:
SSL handshake aborted due to detection of insecure SSL server
Cause
The default behavior, starting with firmware 4.0.0, is to reject connections with insecure servers.
Environment
DataPower firmware 4.0.0 with connections to insecure servers.
Resolving The Problem
If you have such failures, patch the insecure server to support RFC 5746. As a temporary fix, until you patch the insecure server, configure the appliance to permit insecure connections by turning on "Permit Connections to Insecure SSL Servers" in the SSL proxy profile.
To allow connections to servers which do not support RFC 5746, complete the following steps:
- From the DataPower WebGUI, navigate to Objects > Crypto Configuration > SSL Proxy Profile.
- Select the SSL Proxy Profile from the list.
- Set Permit Connections to Insecure SSL Servers to on.
- Click Apply.
- Click Save Config.
For an XML Firewall with a client crypto profile:
- Click the XML Firewall icon on the Control Panel.
- Select the XML Firewall service to edit.
- Click the Advanced tab.
- Set Permit Connections to Insecure SSL Servers to on.
- Click Apply.
- Optional: Click Save Config.
Without a defined client crypto profile, the Permit Connections to Insecure SSL Servers property is not available.
It should be noted that DataPower scripts can be implemented to automatically have the setting as it was before the 4.0.x.x. upgrade, instead of doing manual changes via the WebGUI or SSH.
Related Information
Was this topic helpful?
Document Information
Modified date:
08 June 2021
UID
swg21497539