CODEWITHSUNDEEP
javasslwebspherewildflytls1.2
Nickbob
Nickbob

Reputation: 11

Got SSLHandshakeException when do get request from wildfly_9.0.2.Final(client) to WAS 8.5.5.7(server)

Got SSLHandshakeException when do get request from wildfly_9.0.2.Final(client) to WAS 8.5.5.7(server)

Client wildfly full 9.0.2.Final

java version "1.7.0_131" Java(TM) SE Runtime Environment (build 1.7.0_131-b12) Java HotSpot(TM) 64-Bit Server VM (build 24.131-b12, mixed mode)

Server IBM webSphere 8.5.5.7 (SSL_TLS in ssl configuration)

java version "1.7.0" Java(TM) SE Runtime Environment (build pxa6470_27sr2fp10-20141218_02(SR2 FP10)) IBM J9 VM (build 2.7, JRE 1.7.0 Linux amd64-64 Compressed References 20141215_227395 (JIT enabled, AOT enabled) J9VM - R27_Java727_SR2_20141215_1631_B227395 JIT - tr.r13.java_20141003_74587.07 GC - R27_Java727_SR2_20141215_1631_B227395_CMPRSS J9CL - 20141215_227395) JCL - 20141217_01 based on Oracle jdk7u75-b12

-Djavax.net.debug=ssl:handshake is used

Client output:

2017-10-17 14:55:38,874 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, setSoTimeout(0) called
2017-10-17 14:55:38,874 INFO  [stdout] ([application]-server-thread-3) Allow unsafe renegotiation: false
2017-10-17 14:55:38,874 INFO  [stdout] ([application]-server-thread-3) Allow legacy hello messages: true
2017-10-17 14:55:38,874 INFO  [stdout] ([application]-server-thread-3) Is initial handshake: true
2017-10-17 14:55:38,874 INFO  [stdout] ([application]-server-thread-3) Is secure renegotiation: false
2017-10-17 14:55:38,876 INFO  [stdout] ([application]-server-thread-3) %% No cached client session
2017-10-17 14:55:38,876 INFO  [stdout] ([application]-server-thread-3) *** ClientHello, TLSv1.2
2017-10-17 14:55:38,878 INFO  [stdout] ([application]-server-thread-3) RandomCookie:  GMT: 1491398330 bytes = { 127, 152, 179, 107, 241, 111, 83, 100, 130, 161, 79, 60, 11, 160, 102, 93, 97, 100, 20, 238, 3, 103, 143, 176, 164, 81, 92, 146 }
2017-10-17 14:55:38,878 INFO  [stdout] ([application]-server-thread-3) Session ID:  {}
2017-10-17 14:55:38,878 INFO  [stdout] ([application]-server-thread-3) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2017-10-17 14:55:38,878 INFO  [stdout] ([application]-server-thread-3) Compression Methods:  { 0 }
2017-10-17 14:55:38,878 INFO  [stdout] ([application]-server-thread-3) Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
2017-10-17 14:55:38,879 INFO  [stdout] ([application]-server-thread-3) Extension ec_point_formats, formats: [uncompressed]
2017-10-17 14:55:38,879 INFO  [stdout] ([application]-server-thread-3) Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
2017-10-17 14:55:38,879 INFO  [stdout] ([application]-server-thread-3) ***
2017-10-17 14:55:38,879 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, WRITE: TLSv1.2 Handshake, length = 153
2017-10-17 14:55:38,879 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, READ: TLSv1 Handshake, length = 2038
2017-10-17 14:55:38,880 INFO  [stdout] ([application]-server-thread-3) *** ServerHello, TLSv1
2017-10-17 14:55:38,881 INFO  [stdout] ([application]-server-thread-3) RandomCookie:  GMT: 1491398330 bytes = { 150, 254, 235, 181, 113, 144, 110, 25, 221, 21, 250, 17, 160, 13, 69, 97, 228, 152, 63, 32, 209, 40, 157, 235, 245, 153, 134, 74 }
2017-10-17 14:55:38,882 INFO  [stdout] ([application]-server-thread-3) Session ID:  {89, 229, 239, 186, 146, 242, 123, 118, 227, 212, 229, 33, 177, 102, 106, 105, 0, 235, 87, 149, 115, 254, 5, 134, 165, 238, 96, 176, 240, 230, 244, 16}
2017-10-17 14:55:38,882 INFO  [stdout] ([application]-server-thread-3) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
2017-10-17 14:55:38,882 INFO  [stdout] ([application]-server-thread-3) Compression Method: 0
2017-10-17 14:55:38,882 INFO  [stdout] ([application]-server-thread-3) Extension renegotiation_info, renegotiated_connection: <empty>
2017-10-17 14:55:38,882 INFO  [stdout] ([application]-server-thread-3) ***
2017-10-17 14:55:38,882 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, handling exception: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.
2017-10-17 14:55:38,883 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
2017-10-17 14:55:38,883 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, WRITE: TLSv1.2 Alert, length = 2
2017-10-17 14:55:38,883 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, called closeSocket()
2017-10-17 14:55:38,883 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, IOException in getSession():  javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.
2017-10-17 14:55:38,883 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, called close()
2017-10-17 14:55:38,883 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, called closeInternal(true)
2017-10-17 14:55:38,884 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, called close()
2017-10-17 14:55:38,884 INFO  [stdout] ([application]-server-thread-3) [application]-server-thread-3, called closeInternal(true)
2017-10-17 14:55:38,885 INFO  [stdout] ([application]-server-thread-3) application: [[application]-server-thread-3] 14:55:38 ERROR com.sbt.access_system.c.Request:42 - Access_system error on doGet
2017-10-17 14:55:38,885 INFO  [stdout] ([application]-server-thread-3) org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://10.111.111.111:9443/spas/rest/client-service/getUserRoles?ticket=root%2336e8e6bc47e51d3a773c0d0543a095ab15082340024201148": peer not authenticated; nested exception is javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
2017-10-17 14:55:38,885 INFO  [stdout] ([application]-server-thread-3)   at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:528) ~[spring-web-3.2.10.RELEASE.jar:3.2.10.RELEASE]

I try enabled protocol explicitly, but it doesn't work -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2​

Please advise me what to do.

Upvotes: 0

Views: 752

Answers (2)

sumesh
sumesh

Reputation: 11

This issue can happen when application code overrides the TLS protocol, please check the code to see if you are setting SSL context with "TLS", if so, it will default to 1.0 , you will have to set it as TLSv1.2

Upvotes: 1

Nickbob
Nickbob

Reputation: 11

In my case helped "SSL_TLSv2" in WebSphere ssl confituration.

Upvotes: 0

Related Questions