KB Article #176704

SSL connection error: Decrypt error [fatal]

Problem

When establishing a connection using SSL it fails with the following error: decrypt error [fatal]

Example API Gateway trace output:

DEBUG 11/8/14 08:34:22.345    run filter [Connect to External URL] {
DEBUG 11/8/14 08:34:22.345    get connection to host services.test.com port 443 scheme https
DEBUG 11/8/14 08:34:22.397    connected to xx.xx.xx.xx:443
DEBUG 11/8/14 08:34:22.397    new connection 0x7fa0e832cd00, settings source statically configured on remote host (allow 1.1=no, idleTimeout=15000,                               activeTimeout=30000, needContentLengthRes=0, needContentLengthReq=0)
DEBUG 11/8/14 08:34:22.397    push SSL protocol on to connection
DATA  11/8/14 08:34:22.397   [SSL_connect, 0x5000] before/connect initialization.
DATA  11/8/14 08:34:22.397   [SSL_connect, 0x1210] SSLv2/v3 write client hello A.
DEBUG 11/8/14 08:34:22.506   No SSL host name provided, defaulting to certificate: { subject: /C=IRL/L=Dublin/O=MyCompany/CN=myserverA }.
DATA  11/8/14 08:34:22.506   [SSL_connect, 0x1120] SSLv3 read server hello A.
DATA  11/8/14 08:34:22.506   [SSL verify_cb, 0x1d] subject issuer mismatch, { subject: /C=US/ST=Florida/L=Miami/O=AquaParts/CN=backendserverA }.
DATA  11/8/14 08:34:22.507   [SSL verify_cb, 0x1d] subject issuer mismatch, { subject: /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 }.
ERROR 11/8/14 08:34:22.507   [SSL verify_cb, 0x7] certificate signature failure, { subject: /C=US/O=AffirmTrust/CN=AffirmTrust Commercial }.
DEBUG 11/8/14 08:34:22.507   cert verifier for require presented cert to match destination server's hostname: 0
DEBUG 11/8/14 08:34:22.507   cert verifier for require CA cert from chain to be in context: 0
ERROR 11/8/14 08:34:22.507   [SSL alert write 0x233, 0x1131]: decrypt error [fatal] { subject: /C=US/O=AffirmTrust/CN=AffirmTrust Commercial }.
ERROR 11/8/14 08:34:22.507   [SSL_connect, 0x1131]: error - certificate signature failure { subject: /C=US/O=AffirmTrust/CN=AffirmTrust Commercial }.
DEBUG 11/8/14 08:34:22.507   delete connection 0x7fa0e832cd00, current transaction (nil)
DEBUG 11/8/14 08:34:22.507   Adding MessageListener: com.vordel.circuit.net.ConnectionProcessor$1@190c266e
DEBUG 11/8/14 08:34:22.507   connection processor made 1 attempts to transact
DEBUG 11/8/14 08:34:22.507   } = 2, filter [Connect to External URL]
DEBUG 11/8/14 08:34:22.507  Filter [Connect to External URL] completes in 89 milliseconds.

Resolution

If this occurs on an appliance installed with a Cavium cryptographic accelerator and the certificates are using keysizes of 4096-bit, then it could be a potential issue with an out of date Cavium driver.

To confirm this disable the Cavium card utilization in the API Gateway as follows:

Rename the sslengines.xml file located in /etc/vordel to sslengines.1

mv /etc/vordel/ssl-engines.xml /etc/vordel/ssl-engines.xml.1

Restart the API Gateway. If this resolves the issue it is advised to update the Cavium drivers by performing a system update via the following command:

NOTE: the command below updates all available system packages of the appliance OS. This is only applicable for Axway API Gateway appliances running Oracle Enterprise Linux.

yum update -x VordelGateway-appliance


To only update the Cavium drivers run the command below:


yum update Cavium_OEL_Appliance

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.