IBM Support

IBM DataPower firmware version 6.0 will enable TLS v1.2 or v1.1 by default

Question & Answer


Question

Why would some outgoing SSL handshakes fail with firmware version 6.0 but not prior firmware versions?

Cause

Beginning in firmware version 6.0 and above, the default SSL settings have changed. The Crypto profiles now have TLSv1.2 and 1.1 which will be enabled by default. This affects the protocol version included in the Client Hello when DataPower is acting as the SSL client. If TLSv1.2 is not supported, the server still negotiates to the most secure supported protocol (e.g. TLSv1.1, TLSv1.0, SSLv3) if enabled.

Some legacy servers with non-compliant implementations of SSL may reject connection attempts when TLSv1.2 or TLSv1.1 are used. In these cases, the handshake fails without properly negotiating to a mutually agreeable protocol.

The TLS versions 1.1 and 1.2 are part of the requirements for being compliant with NIST SP800-131a.

Answer

Upgrade the SSL server to a version compliant with the SSL/TLS specifications. If required you may disable TLSv1.2 and TLSv1.1 within the Crypto Profile to allow compatibility.

Within the domain simply navigate to the Objects> Crypto Configuration> Crypto Profile>
Then simply click on your specific profile to view the Options selection and see what SSL protocol versions are supported.

Any further questions or issues please feel free to contact DataPower support. A packet trace and error report would be the most helpful information in viewing the problem.

[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0;3.8;5.0.0;6.0.0","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21632275