Handshake Failure

Am getting the below error while i am sending the file through TN (webMethodsTN -> Client) via outbound proxy

[61185]2016-01-27 18:25:59 CET [TNS.0002.1082I] com.wm.app.b2b.server.ServiceException: java.net.ConnectException: Connection timed out: connect
[61184]2016-01-27 18:25:38 CET [ISC.0064.0015T] Opening Socket https://integration.com:443/my
[61183]2016-01-27 18:25:38 CET [ISC.0064.0029T] Could not open Socket connection to proxy:80=proxy.test.com Exception:iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure
[61182]2016-01-27 18:25:38 CET [ISC.0064.0017T] Proxy Header <–Connection established
[61181]2016-01-27 18:25:38 CET [ISC.0064.0014T] Opening Socket https://integration.com:443/my proxy:80=proxy.test.com

What might be the issue?
Is there any problem with the proxy at our side/client side?
Is there any issue with the Certificates?

1 Like

Looks like a SSL handshake issue.
add this:
watt.ssl.iaik.debug=true
in the extended setting. it should write SSL debug log, you can see how the handshake happens

I have already added this extended field, still showing the same, no additional messages.

Krishna – which wM version you are on ?

Have you added certificates at your side or partner side or was there any installation for new certificate renewals ?

Thanks,

Thanks Man.

We are using 8.2.2v. We have added the certs at our end, I am checking with the client on the same whether they have added our keys at their trust store or not.

Let me check and then come back to you.

Do you want me to check any other things like proxy/firewall rules?

first make sure both the ends using the same certificate, secondly think of no firewall rules affecting the communication on either side. Share me your mail id or write me @anynonymoushelper@gmail.com

Thanks,

Thanks for your help.

I will check and let you know in case of any issues.

It seems to be issue with the SSL version.

Client is getting the below error:

ERROR [https-exchanger-1661583] (2016-01-28 11:53:26,243) - /80.22.24.28:42130 cannot process i/o
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1496)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:92)
at transport.blockingip.IpsExchanger.run(IpsExchanger.java:90)
Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:598)
at sun.security.ssl.InputRecord.read(InputRecord.java:504)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2191)
at transport.blockingip.IpsExchanger.(IpsExchanger.java:45)
at transport.blockingip.https.HttpsExchanger.(HttpsExchanger.java:32)
at transport.blockingip.IpsServerConnector.run(IpsServerConnector.java:238)
at java.lang.Thread.run(Thread.java:745)

Now they are trying to modify their SSL settings to accept SSLv2.

Any other comments/suggestions?

Hi Krishna,

more likely you should try to get the partner system updated to support TLS then.

Additionally you should check Empower for the Poodle Fix (IS Core 8.2.2 Fix15+ in your case):
https://empower.softwareag.com/Products/Security/poodle.asp
https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?prdfamily=Integration&KEY=113752-15316048&DSN=PIVOTAL&DST=TCD
https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?prdfamily=Integration&KEY=113725-9174169&DSN=PIVOTAL&DST=TCD

Regards,
Holger

1 Like

Thanks .I will check this and come back to you in case of any concerns.

I have set the below extended properties to overcome this issue.

watt.net.ssl.client.strongcipheronly=true
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv3

I will comeback in case of there is any other issues on this.

1 Like

Hi Krishna,

the recommended settings are (diasbling SSL v2 and SSL v3 completely):


watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls

When you partner only can connect using SSL v2, you will have to modify the server settings not the client settings.

server=inbound
client=outbound

Regards,
Holger

1 Like

Thanks Holger.

But will it not be impact the other clients who are using the sslv2 for inbound and outbound?

Hi Krishna,

sure. This will affect all clients connecting to the IS.

But once again:
You should try to get all Partners to upgrade their systems to use at least TLS v1 or higher for security reasons.

Looks like TLS v1 and TLS v1.1 are also considered buggy/unsecure meanwhile.

Regards,
Holger

Ok, But we can try to support all protocols by implement the setting like below…

watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv2
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=sslv2

will it work without impacting the other clients?

Hi Krishna,

I think you have bad luck in this case as IS does not support being reached by SSL v2 at all.

Here is the snippet for this issue from the IS_8.2_SP2_Core_Fix15_readme.txt:

Regards,
Holger

1 Like

Thanks for your helpful information and will let you know in case of any issues.

Krishna – I was a little busy with work, so could not able to read the posts, what’s going on this ?

Thanks,

Hey, Have added below parameters to resolve this issue, Still we are in testing phase, will let you know in case of any issues.

watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.client.handshake.maxVersion=sslv3

Hi Krishna,

please swap the two settings, as TLS is a higher ssl version than SSL v3:

watt.net.ssl.client.handshake.minVersion=sslv3
watt.net.ssl.client.handshake.maxVersion=tls

Regards,
Holger