Handshake Exception on SSL communication

,
1

Hi

Facing an issue while communicating with client server through Https SOAP request over SSL .

Added below properties in Extended settings from IS Page:
watt.net.jsse.client.enabledCipherSuiteList=default
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledCipherSuiteList=default
watt.net.jsse.server.enabledProtocols=SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv2,TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.strongcipheronly=true

Enabled use JSSE option in Https post Alias.

Enabled use JSSE option in wsdl connector while triggering data to client.

Certificates:
shared New CSR request to client, and received the certificate shared by them.
created Keystore with .p12 file.

The current version of java we are using is 1.8. and also using cipher suites.

Please find the below error :
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

also find the attached wrapper log.

Thanks in advance.

wrapperlog3.txt (78.6 KB)

2

Hi Sirisha,

which version of wM are you using?
Any Fixes applied?

Might it be that your partner does not accept TLSv1.2 currently?

Please remove the SSLv2Hello and sslv2 from the list of allowed protocols as long as it is not required by special applications.

Can you check the output of “openssl s_client -connect :”?

This will give an idea which protocols are available.

Regards,
Holger

3

notice this in line in the log:
Warning: no suitable certificate found - continuing without client authentication

If you are acting as client, pls configure your server cert, so it will be presented during handshake.

4

Hi Holger,

Please find below comments:

which version of wM are you using?
----we are using 9.9 webMethods version.

Any Fixes applied?
—No fix applied, please suggest if any required.

Might it be that your partner does not accept TLSv1.2 currently?
—As per client TLSv1.2 is supported.

Please remove the SSLv2Hello and sslv2 from the list of allowed protocols as long as it is not required by special applications.
—Removed SSLv2Hello and sslv2 and checked still issue exists.

Can you check the output of “openssl s_client -connect :”?
—Result : 139656393811784:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40
139656393811784:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

5

Hi Tong Wang

We have configured client signed certs along with private key in our server.

Tried connecting through server using curl command.
curl -v -o - -X POST -H “Content-Type: text/xml” --key ./DEV-IS-CAS-Certificate.pem --cert ./LatestCAS.crt --data “@getdropboxlist.xml” -k “https://#hostname/cas/SoftwareDeliveryService/SoftwareDelivery” | xmllint --format –

Response: * About to connect() to #hostname port 443 (#0)

  • Trying ip… connected
  • Connected to #hostname (ip) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • warning: ignoring value of ssl.verifyhost
  • Unable to load client key -8178.
  • NSS error -8178
  • Closing connection #0

Can you please elaborate on how to configure certs.

6

Hi Sirisha,

please have a look at the IS Administrators Guide.
You will have to configure a Truststore containg the CA certificate from your partners server when it is not in the general cacerts file of the jvm.

Regards,
Holger

7

I guess curl application is acting as the client, and it’s missing cert.
pls check with curl documentation/forum on how to config cert for it, since this is just a WM forum.