I cannot determine how my TLS version is being overwritten running Java 8 on an AIX machine. Have tried every parameter on the on the command to force it to TLSv1.2.
Every time I execute and look at the "debug" output I get the same ...
*** ClientHello, TLSv1; main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, protocol_version.
I added TLSv1 to the "java_security" file - received a "no protocol available error".
Any suggestions would be greatly appreciated.
Related
I have this SSL issue, I get handshake_failure
http-bio-8080-exec-10, WRITE: TLSv1 Handshake, length = 191
http-bio-8080-exec-10, READ: TLSv1 Alert, length = 2
http-bio-8080-exec-10, RECV TLSv1 ALERT: fatal, handshake_failure
http-bio-8080-exec-10, called closeSocket()
http-bio-8080-exec-10, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Keep-Alive-Timer, called close()
Keep-Alive-Timer, called closeInternal(true)
Keep-Alive-Timer, SEND TLSv1.2 ALERT: warning, description = close_notify
Keep-Alive-Timer, WRITE: TLSv1.2 Alert, length = 48
Keep-Alive-Timer, called closeSocket(selfInitiated)
Code is Working with no issue on java version "1.8.0_05"
But same code with same SSL certificates is not working on java version "1.7.0_67"
I installed unlimited Crypto on the 1.7 and still facing the same issue.
Unfortunately I cannot upgrade the JDK, Is there any other way around this issue?
I have a problem connecting from my .Net client to Java server, both were changed from TLS1 to TLS1.2.
Both client and server in the same machine, Windows10 64bits.
.Net client created under .Net Framework 4.5, using HttpWebRequest.
Previous the request call I set
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
.Net Error "The request was aborted: Could not create SSL/TLS secure channel."
Java using jdk1.8.0_25
Java Error log:
P-86, received EOFException: error
P-86, handling exception: javax.net.ssl.SSLHandshakeException: Remote host
closed connection during handshake
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
P-86, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
P-86, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28 ......(
P-86, called closeSocket()
P-86, called close()
P-86, called closeInternal(true)
I have changed to different ciphers with no success. Any suggestion to follow ?
thanks
My problem was the certificate.I was using a very old one, I changed it and It works. I'm not clear why, I'm investigating.
Thanks to all.
I have enabled logs in my application using -Djavax.net.debug=all option. Code that have written is supposed to use SSLv3 protocol, but in logs when I am checking it is displaying as ::
*** ClientHello, TLSv1
*** ServerHello, TLSv1
As far as I understand from reading is, Client and Server using TLSv1 for handshake, but as I have used SSLv3 in my code while initiating socket, ideally it should print SSLv3 instead TLSv1.
Below is the code snippet I have used :
SSLContextBuilder builder = new SSLContextBuilder();
builder.useProtocol("SSLv3");
SSLContext sslContext = builder.build();
Can someone please clarify the reason for the same, or is there something else I have missed out. Just to add on I am on Java 7.
Most probably SSLv3 is just not supported by server (which is recommended configuration nowadays because of security), so the lib uses least supported TLS version.
UPD: seems that hello format says nothing about what protocol will be used in fact. There's something from Java docs:
Currently, the SSLv3, TLSv1, and TLSv1.1 protocols allow you to send SSLv3, TLSv1, and TLSv1.1 hellos encapsulated in an SSLv2 format hello. For more details on the reasons for allowing this compatibility in these protocols, see Appendix E in the appropriate RFCs (previously listed).
Note that some SSL/TLS servers do not support the v2 hello format and require that client hellos conform to the SSLv3 or TLSv1 client hello formats.
The SSLv2Hello option controls the SSLv2 encapsulation. If SSLv2Hello is disabled on the client, then all outgoing messages will conform to the SSLv3/TLSv1 client hello format. If SSLv2Hello is disabled on the server, then all incoming messages must conform to the SSLv3/TLSv1 client hello format.
I'm trying web sevice security with Java and Glassfish 3.1: I configured an Hello World web service to run on https listener of Glassfish (on port 8181) by setting "Transport Guarantee" of endpoint of web service to CONFIDENTIAL.
After this I edited web service Attributes and I enabled Secure Service with Transport Security (SSL) Mechanism. I'm using a trusted certificate signed by Comodo.
In web service client creation I have no errors, but when I launch my test application, I get this error:
%% Cached client session: [Session-1, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
main, WRITE: TLSv1 Application Data, length = 320
main, WRITE: TLSv1 Application Data, length = 32
main, WRITE: TLSv1 Application Data, length = 1328
main, READ: TLSv1 Application Data, length = 768
main, READ: TLSv1 Application Data, length = 32
main, READ: TLSv1 Application Data, length = 320
main, READ: TLSv1 Application Data, length = 32
main, READ: TLSv1 Application Data, length = 32
main, called close()
main, called closeInternal(true)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 32
main, called closeSocket(selfInitiated)
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Invalid Security Header
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
at $Proxy43.helloWorld(Unknown Source)
at wss_test.WSS_Test.helloWorld(WSS_Test.java:31)
at wss_test.WSS_Test.main(WSS_Test.java:19)
Java Result: 1
I tried to manage urls and certificate but the result doesn't change. Which is my error? How can I resolve my issue?
Thanks in advance.
Mephysto
I'm using:
not-yet-commons-ssl-0.3.9.jar
opensaml-2.3.1.jar
I'm getting the following error in my logs:
SSLException: Received fatal alert: unexpected_message
Turning on SSLDebug gives the following:
TP-Processor2, READ: TLSv1 Alert, length = 2
TP-Processor2, RECV TLSv1 ALERT: fatal, unexpected_message
TP-Processor2, called closeSocket()
TP-Processor2, handling exception: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
%% Client cached [Session-40, SSL_RSA_WITH_RC4_128_MD5]
%% Try resuming [Session-40, SSL_RSA_WITH_RC4_128_MD5] from port 2903
*** ClientHello, TLSv1
The behaviour is that SSL connections work for five minutes - and then they fail with the message above. My guess is that this is an SSL session cache issue.
Has anyone resolved this?
So it turned out that bouncy-castle (a jar dependency of opensaml) adds a bunch of extra ciphers into the SSL negotiation. The TIBCO server has a spew at these extra ciphers. Rolling back the Bouncy Castle Jar to 1.3.5 (pre-elliptic SLL Ciphers) solved this issue.