CODEWITHSUNDEEP
javagradleibm-jdk
user2101374
user2101374

Reputation: 61

Gradle build using IBM JDK not using TLS 1.2

We are invoking gradle build from Jenkins and Java being used is IBM java 1.8. After the build is completed the packaged ear file is supposed to be published on Artifactory and thats where it fails because it is using TLSv1 whereas the artifactory server uses TLSv1.2 (RECV TLSv1.2 ALERT: fatal, protocol_version). We have specified parameters to try to force it to use TLSv1.2 but to no avail.

If we simply switch the Java from IBM java to OpenJDK everything works but we have to use IBM JDK.

Below is extract from logs, any insight would be appreciated.

16:37:27  BUILD_ID=52
16:37:27  JAVA_TOOL_OPTIONS=-Duser.home=/home/jenkins -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=all -Djavax.net.debug=all  -Dcom.ibm.jsse2.disablesslv3=false -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1

16:39:49  jdk.tls.client.protocols is defined as TLSv1.2
16:39:49  SSLv3 protocol was requested but was not enabled
16:39:49  SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
16:39:49  SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
16:39:49  CLIENT_DEFAULT: [TLSv1.2]
16:39:49  IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
16:39:49  IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
16:39:49  IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
16:39:49  IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default
16:39:49  IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
16:39:49  
16:39:49  Is initial handshake: true
16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
16:39:49  Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
16:39:49  %% No cached client session
16:39:49  *** ClientHello, TLSv1
16:39:49  RandomCookie:  GMT: 1595384853 bytes = { 107, 178, 131, 155, 114, 248, 46, 134, 176, 84, 230, 191, 243, 124, 238, 63, 233, 106, 234, 197, 151, 26, 164, 199, 46, 116, 65, 30 }
16:39:49  Session ID:  {}
16:39:49  Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA]
16:39:49  Compression Methods:  { 0 }
16:39:49  Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
16:39:49  Extension ec_point_formats, formats: [uncompressed]
16:39:49  Extension server_name, server_name: [type=host_name (0), value=artifactory..xxx.xxx]
16:39:49  ***
16:39:49  [write] MD5 and SHA1 hashes:  len = 123

16:39:49  [Raw read]: length = 2
16:39:49  0000: 02 46                                              .F
16:39:49  
16:39:49  pool-1-thread-1, READ: TLSv1 Alert, length = 2
16:39:49  pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, protocol_version
**16:39:49  pool-1-thread-1, called closeSocket()
16:39:49  pool-1-thread-1, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
16:39:49  Error occurred for request GET /artifactory/api/system/version HTTP/1.1: Received fatal alert: protocol_version.**```

Upvotes: 2

Views: 4120

Answers (2)

user8295151
user8295151

Reputation:

In your exception stack, it was mentioned

"16:39:49  jdk.tls.client.protocols is defined as TLSv1.2
16:39:49  **SSLv3 protocol was requested but was not enabled**"

and In your command line options it mentioned "-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1"

can you try removing this property "-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1" and test your application.

Upvotes: 0

Jared Anderson
Jared Anderson

Reputation: 344

Try updating your gradle.properties to have:

systemProp.com.ibm.jsse2.overrideDefaultTLS=true

Upvotes: 1

Related Questions