This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Does Apigee support to call a TLSv1.3 backend?

Posted on 12-18-2019 08:11 AM
yanngrostete-1
New Member
Reply posted on --/--/---- --:-- AM

We have a backend configured in TLS v1.3. It accepts to downgrade the TLS version to TLS1.2 or TLS1.1 (test done with different http clients).

This backend is the target of an apigee proxy. When Apigee calls it, Apigee throws a 502 error, with followwing infos (trace mode):

error: Bad Gateway

error.cause: ASYNC_EXCEPTION: Received fatal alert: handshake_failure

error.class: com.apigee.errors.http.server.BadGatewaycom.apigee.errors.http.server.ServiceUnavailableException

This apigee deployment (private cloud) is 4.19.01 and apigee components use Java8.

0 6 1,976
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

As of this date (Dec 2019), Java8 out of the box does not include support for TLS1.3. Oracle hasn't provided it. It's not in the OpenJDK either.

Azul systems has produced a TLS1.3 implementation for Java8. https://www.azul.com/press_release/azul-systems-brings-updated-transport-layer-security-to-java-se-8...

It's available as open source, under GPLv2 with the Classpath Exception: https://github.com/openjsse/openjsse

Azul says:

The OpenJSSE project was created to add support for TLS 1.3 to existing Java 8 applications without requiring code changes, and to provide a means to programmatically to code to TLS 1.3 and RSASSA-PSS capabilities not directly available via the Java SE 8 APIs.

When using the OpenJSSE JSSE provider, both clients and servers will auto-negotiate TLS 1.3, unless explicitly configured otherwise, while still including full support for all TLS behaviors found in Java SE 8.

To add support to *any* Java app using Azul's OpenJSSE lib:

  1. include the openjsse jar in the classpath (you can download it from maven https://search.maven.org/search?q=g:org.openjsse )
  2. add the OpenJSSE provider to java.security (first position): 
    security.provider.1=org.openjsse.net.ssl.OpenJSSE

I haven't tested this. But it should work on OPDK installs. It would be a good idea to contact Apigee support and ask for a specific statement of support for this library, before using it in production.

0 Likes

Posted on --/--/---- --:-- AM
yanngrostete-1
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you for the quick answer.

Our first step is just to connect to this backend using TLS version downgrade procedure. But it seems that Apigee doesn't support to downgrade from v1.3 to v1.2.

Could you confirm that the TLS downgrade (with apigee as TLS client) is not supported in this case?

In a second step, I could try this open source (with apigee support team), but this not the priority for now.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to yanngrostete-1
Reply posted on --/--/---- --:-- AM

Hi Yann, I don't think i can provide a statement of support. For that you'll need Apigee Support and the product managers. I've asked them to comment on this thread.

0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Checking back on this topic(i know its old) but what's the recommendation.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to API-Evangelist
Reply posted on --/--/---- --:-- AM

Let me check for you.

@RajeshMishra@Google may have some information.

0 Likes

Posted on --/--/---- --:-- AM
iamasim04
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

@dchiesa1@RajeshMishra Kindly provide if any update on the TLS 1.3 southbound support from Apigee edge.

0 Likes