Handshake Failure

Krishna_PB · January 27, 2016, 6:35pm

Am getting the below error while i am sending the file through TN (webMethodsTN → Client) via outbound proxy

[61185]2016-01-27 18:25:59 CET [TNS.0002.1082I] com.wm.app.b2b.server.ServiceException: java.net.ConnectException: Connection timed out: connect
[61184]2016-01-27 18:25:38 CET [ISC.0064.0015T] Opening Socket https://integration.com:443/my
[61183]2016-01-27 18:25:38 CET [ISC.0064.0029T] Could not open Socket connection to proxy:80=proxy.test.com Exception:iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure
[61182]2016-01-27 18:25:38 CET [ISC.0064.0017T] Proxy Header <–Connection established
[61181]2016-01-27 18:25:38 CET [ISC.0064.0014T] Opening Socket https://integration.com:443/my proxy:80=proxy.test.com

What might be the issue?
Is there any problem with the proxy at our side/client side?
Is there any issue with the Certificates?

Tong_Wang · January 27, 2016, 8:09pm

Looks like a SSL handshake issue.
add this:
watt.ssl.iaik.debug=true
in the extended setting. it should write SSL debug log, you can see how the handshake happens

Krishna_PB · January 28, 2016, 6:13am

I have already added this extended field, still showing the same, no additional messages.

MR_as173d · January 28, 2016, 7:56am

Krishna – which wM version you are on ?

Have you added certificates at your side or partner side or was there any installation for new certificate renewals ?

Thanks,

Krishna_PB · January 28, 2016, 8:38am

Thanks Man.

We are using 8.2.2v. We have added the certs at our end, I am checking with the client on the same whether they have added our keys at their trust store or not.

Let me check and then come back to you.

Do you want me to check any other things like proxy/firewall rules?

MR_as173d · January 28, 2016, 8:57am

first make sure both the ends using the same certificate, secondly think of no firewall rules affecting the communication on either side. Share me your mail id or write me @anynonymoushelper@gmail.com

Thanks,

Krishna_PB · January 28, 2016, 9:04am

Thanks for your help.

I will check and let you know in case of any issues.

Krishna_PB · January 28, 2016, 2:08pm

It seems to be issue with the SSL version.

Client is getting the below error:

ERROR [https-exchanger-1661583] (2016-01-28 11:53:26,243) - /80.22.24.28:42130 cannot process i/o
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1496)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:92)
at transport.blockingip.IpsExchanger.run(IpsExchanger.java:90)
Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:598)
at sun.security.ssl.InputRecord.read(InputRecord.java:504)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2191)
at transport.blockingip.IpsExchanger.(IpsExchanger.java:45)
at transport.blockingip.https.HttpsExchanger.(HttpsExchanger.java:32)
at transport.blockingip.IpsServerConnector.run(IpsServerConnector.java:238)
at java.lang.Thread.run(Thread.java:745)

Now they are trying to modify their SSL settings to accept SSLv2.

Any other comments/suggestions?

Holger_von_Thomsen · January 28, 2016, 3:45pm

Hi Krishna,

more likely you should try to get the partner system updated to support TLS then.

Additionally you should check Empower for the Poodle Fix (IS Core 8.2.2 Fix15+ in your case):
https://empower.softwareag.com/Products/Security/poodle.asp
https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?prdfamily=Integration&KEY=113752-15316048&DSN=PIVOTAL&DST=TCD
https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?prdfamily=Integration&KEY=113725-9174169&DSN=PIVOTAL&DST=TCD

Regards,
Holger

Krishna_PB · January 28, 2016, 3:53pm

Thanks .I will check this and come back to you in case of any concerns.

Krishna_PB · January 29, 2016, 1:28pm

I have set the below extended properties to overcome this issue.

watt.net.ssl.client.strongcipheronly=true
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv3

I will comeback in case of there is any other issues on this.

Holger_von_Thomsen · January 29, 2016, 2:27pm

Hi Krishna,

the recommended settings are (diasbling SSL v2 and SSL v3 completely):


watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls

When you partner only can connect using SSL v2, you will have to modify the server settings not the client settings.

server=inbound
client=outbound

Regards,
Holger

Krishna_PB · January 29, 2016, 2:31pm

Thanks Holger.

But will it not be impact the other clients who are using the sslv2 for inbound and outbound?

Holger_von_Thomsen · January 29, 2016, 2:37pm

Hi Krishna,

sure. This will affect all clients connecting to the IS.

But once again:
You should try to get all Partners to upgrade their systems to use at least TLS v1 or higher for security reasons.

Looks like TLS v1 and TLS v1.1 are also considered buggy/unsecure meanwhile.

Regards,
Holger

Krishna_PB · January 29, 2016, 2:44pm

Ok, But we can try to support all protocols by implement the setting like below…

watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv2
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=sslv2

will it work without impacting the other clients?

Holger_von_Thomsen · January 29, 2016, 2:54pm

Hi Krishna,

I think you have bad luck in this case as IS does not support being reached by SSL v2 at all.

Here is the snippet for this issue from the IS_8.2_SP2_Core_Fix15_readme.txt:

PIE-34054
Remove use of SSLv3 from any HTTPS or FTPS Integration Server
ports.

In order to protect against POODLE vulnerability
(CVE-2014-3566),this fix removes the use of SSLv3.0 from
Integration Server HTTPS and FTPS ports. This is done using the
following two new server configuration parameters.

watt.net.ssl.server.handshake.minVersion

watt.net.ssl.server.handshake.maxVersion

The values for these server configuration parameters are
“sslv3” and “tls” (the default). In this fix, these two
parameters take the default value “tls”, which indicates that
all server side SSL listeners will support only TLSv1 and no
longer accept SSLv3 connections.

When Integration Server acts as a client and makes an outbound
request,it configures the allowed protocols using the following
server configuration parameters:

watt.net.ssl.client.handshake.minVersion=sslv2

watt.net.ssl.client.handshake.maxVersion=tls

Possible values for these server configuration parameters are
“sslv2”,“sslv3”, and “tls”. If you want to disable the use of
“sslv3”, set watt.net.ssl.client.handshake.minVersion as
follows:
watt.net.ssl.client.handshake.minVersion=tls

To change the values of the parameters, from Integration Server
Administrator, navigate to Settings > Extended and add the
parameters as follows:

watt.net.ssl.server.handshake.minVersion=tls

watt.net.ssl.server.handshake.maxVersion=tls

watt.net.ssl.client.handshake.minVersion=tls

watt.net.ssl.client.handshake.maxVersion=tls

If any of your clients need to connect using SSLv3
(the previous default),
set watt.net.ssl.server.handshake.minVersion as follows:
watt.net.ssl.server.handshake.minVersion=sslv3

When making outbound connections, you can configure Integration
Server to first try to connect using sslv3 and, if that fails,
to connect with tlsv1. To do so,
set watt.net.ssl.client.handshake.minVersion as follows:
watt.net.ssl.client.handshake.minVersion=sslv3

This will allow Integration Server to use sslv3 with endpoints
that do not support tlsv1.

Regards,
Holger

Krishna_PB · January 29, 2016, 3:16pm

Thanks for your helpful information and will let you know in case of any issues.

MR_as173d · January 31, 2016, 9:07am

Krishna – I was a little busy with work, so could not able to read the posts, what’s going on this ?

Thanks,

Krishna_PB · January 31, 2016, 4:30pm

Hey, Have added below parameters to resolve this issue, Still we are in testing phase, will let you know in case of any issues.

watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.client.handshake.maxVersion=sslv3

Holger_von_Thomsen · February 1, 2016, 11:16am

Hi Krishna,

please swap the two settings, as TLS is a higher ssl version than SSL v3:

watt.net.ssl.client.handshake.minVersion=sslv3
watt.net.ssl.client.handshake.maxVersion=tls

Regards,
Holger