IBM Support

Configuring TLS 1.2 Client Hello 'signature_algorithms' extension for backend or LDAP connections

Troubleshooting


Problem

Some TLS 1.2 servers require the 'signature_algorithms' extension as per Section 7.4.1.4.1 of RFC 5246. ISAM does not send this extension by default, which is permissible by the aforementioned RFC.

Symptom

Without this extension, some backend or LDAP servers can go as far as shutting down the connection without responding to the Client Hello.

Environment

ISAM for Web Reverse Proxy using a TLS 1.2 Connection to a backend or LDAP Server

Resolving The Problem

The following GSKit attribute is available to configure the 'signature_algorithms' extension :

[ssl]
# Configure the 'signature_algorithms' extension
jct-gsk-attr-name = string:245:SIG_ALG_LIST

Where 'SIG_ALG_LIST' is a comma separated list (no spaces after comma) that can be comprised using the 'GSKit Signature Algorithm Name' values from the table below :

Hex Values
GSKit Signature Algorithm Name
Common Name
02:01
GSK_TLS_SIGALG_RSA_WITH_SHA1
SHA1withRSA
02:02
GSK_TLS_SIGALG_DSA_WITH_SHA1
SHA1withDSA
02:03
GSK_TLS_SIGALG_ECDSA_WITH_SHA1
SHA1withECDSA
03:01
GSK_TLS_SIGALG_RSA_WITH_SHA224
SHA224withRSA
03:03
GSK_TLS_SIGALG_ECDSA_WITH_SHA224
SHA224withECDSA
04:01
GSK_TLS_SIGALG_RSA_WITH_SHA256
SHA256withRSA
04:03
GSK_TLS_SIGALG_ECDSA_WITH_SHA256
SHA256withECDSA
05:01
GSK_TLS_SIGALG_RSA_WITH_SHA384
SHA384withRSA
05:03
GSK_TLS_SIGALG_ECDSA_WITH_SHA384
SHA384withECDSA
06:01
GSK_TLS_SIGALG_RSA_WITH_SHA512
SHA512withRSA
06:03
GSK_TLS_SIGALG_ECDSA_WITH_SHA512
SHA512withECDSA

Only values in the middle column are valid values for this entry.

The order that the values are in defines the order in which the pairs are sent to the server.

The Hex Values represent the values you will see in a network trace in the TLS handshake but are not valid values for the entry. Please do not use them.

RFC 5246 Section 7.4.1.4.1
https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1


An example entry would be similar to :

[ssl]

...

jct-gsk-attr-name = string:245:GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_TLS_SIGALG_RSA_WITH_SHA1,GSK_TLS_SIGALG_ECDSA_WITH_SHA1


Some directory servers also require the signature algorithms' extension. The following entry is available to enable it in the ldap.conf [ldap] stanza.

[ldap]
...
ldap-ssl-set-extn-sigalg = SIG_ALG_LIST
[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0;8.0;8.0.1;9.0;9.0.1;9.0.2;9.0.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

More support for:
Tivoli Access Manager for e-business

Software version:
7.0, 8.0, 8.0.1, 9.0, 9.0.1, 9.0.2, 9.0.3

Document number:
540781

Modified date:
16 June 2018

UID

swg21975958

Manage My Notification Subscriptions

Page Feedback