IS 8.2 is not providing support for TLSv1

Yogesh_Bhandari · January 4, 2017, 5:12am

Hi All,

I have webMethods 8.2 Integration server in which i have below configuration:

watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv2

Now as per above configuration it can support sslv2,sslv3 and tls1 (let me know if it is not correct). But if i am trying to connect this IS from openssl then it is not working for tls1.

I have issued below command in opnessl

s_client -connect : -tls1

Output :
Loading ‘screen’ into random state - done
CONNECTED(00000184)
6748:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:340:

However it is working fine if i use -ssl3.

I have also tried to increase the ssl log and find out below error in ssl log:

ssl_debug(85): Starting handshake (iSaSiLk 3.03)…
ssl_debug(85): Received v3 client_hello handshake message.
ssl_debug(85): Exception while handshaking:
ssl_debug(85): java.lang.ArrayIndexOutOfBoundsException: 1
ssl_debug(85): at iaik.security.ssl.bb.(Unknown Source)
ssl_debug(85): at iaik.security.ssl.cb.a(Unknown Source)
ssl_debug(85): at iaik.security.ssl.cb.(Unknown Source)
ssl_debug(85): at iaik.security.ssl.p.c(Unknown Source)
ssl_debug(85): at iaik.security.ssl.p.a(Unknown Source)
ssl_debug(85): at iaik.security.ssl.p.(Unknown Source)
ssl_debug(85): at iaik.security.ssl.h.c(Unknown Source)
ssl_debug(85): at iaik.security.ssl.h.d(Unknown Source)
ssl_debug(85): at iaik.security.ssl.e.c(Unknown Source)
ssl_debug(85): at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
ssl_debug(85): at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)
ssl_debug(85): at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)
ssl_debug(85): at com.wm.app.b2b.server.ProtocolState.initSocket(ProtocolState.java:168)
ssl_debug(85): at com.wm.app.b2b.server.HTTPDispatch.getState(HTTPDispatch.java:214)
ssl_debug(85): at com.wm.app.b2b.server.Dispatch.run(Dispatch.java:293)
ssl_debug(85): at com.wm.util.pool.PooledThread.run(PooledThread.java:131)
ssl_debug(85): at java.lang.Thread.run(Unknown Source)
ssl_debug(85): Sending alert: Alert Fatal: handshake failure
ssl_debug(85): Shutting down SSL layer…

Please let me know what i am missing.

P.S. i have already tested same thing from most of the OpenSSL version so it is not OpenSSL issue.

Thanks in Advance

Yogesh

Holger_von_Thomsen · January 4, 2017, 12:59pm

Hi Yogesh,

what is your exact IS version number?

What is your java version?

Are there any fixes applied to the IS?

Please check if you have an IS Core Fix applied that covers PIE-34054, which handles sslv3 POODLE issue.

Can you provide us the output of “openssl version”?

Regards,
Holger

Tong_Wang · January 4, 2017, 9:33pm

test with a browser (chrome), it will normally choose the highest version of TLS/SSL, so you can verify that TLS 1.0 is being use and working.

It’s very likely an incompatible issue between openssl and IS.

Yogesh_Bhandari · January 5, 2017, 8:34am

Hello Thomsen,

Please find the below answers:

what is your exact IS version number? – 8.2.2.0

What is your java version? – 1.6.0_27 (50.0)

Are there any fixes applied to the IS? – Yes

Please check if you have an IS Core Fix applied that covers PIE-34054, which handles sslv3 POODLE issue. – IS_8.2_SP2_Core_Fix7

Can you provide us the output of “openssl version”? – I have tried with below openssl version
openssl-1.0.1c
openssl-1.0.1e
openssl-1.0.1e
openssl-1.0.1g
openssl-1.0.1h

Thanks,
Yogesh

Holger_von_Thomsen · January 5, 2017, 3:29pm

Hi Yogesh,

please check if you have SCG_8.2_SP2_Entrust_Fix4 applied to your IS.

If not, please apply it.

Most likely you are hitting the following issue (extracted from Readme of the mentioned Fix):


PIE-33369
Integration Server fails during TLSv1.0 SSL handshake. 

Integration Server does not accept TLSv1.0 connections which forced
the clients to use SSLv3.0. 

This issue is resolved.

Regards,
Holger

Yogesh_Bhandari · January 5, 2017, 4:13pm

Hello Thomsen,

I can see only below fix in the list.

SCG_8.2_SP2_Entrust_Fix3

Will it resolve the issue ?

Holger_von_Thomsen · January 5, 2017, 4:40pm

Hi Yogesh,

do you mean the list of installed Fixes from SUM?

Unfortunately the issue is resolved with SCG_8.2_SP2_Entrust_Fix4, but not with SCG_8.2_SP2_Entrust_Fix3.

As 8.2 is in EOM-state it might be worth considering an upgrade to one of the recent wM 9.x versions.

Regards,
Holger

Yogesh_Bhandari · January 5, 2017, 4:43pm

Hello Thomsen,

I mean the list of fixes from empower which i can install.

Also we have already moved to webMethods 9.10 version but some interface are still running on 8.2 version and we want to fix this issue in 8.2 only.

Regards,
Yogesh

Holger_von_Thomsen · January 5, 2017, 4:49pm

Hi Yogesh,

than this is bad luck.

As long as you do not have an extended maintenance agreement for 8.2 in place you might not get any support for 8.2.
Due to this fact this might be the reason that you cannot see the fix.

Link to the fix in Empower:
https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?key=523007-10908889&DST=UPDATE

Regards,
Holger

Yogesh_Bhandari · January 6, 2017, 3:11pm

Hello Thomsen,

Unfortunately we don’t have any extended agreement for 8.2.

Also i am not sure what is wrong because Fix4 is not available to install in SUM but when i click on “Available Fixes” in SUM then i can see the Fix4 in the list.

Anyway i appreciate the help which you have provided… will see another way(if there is any)

Regards,
Yogesh

Holger_von_Thomsen · January 6, 2017, 6:03pm

Hi Yogesh,

can you share the screenshot of your fix list from SUM?

When you say that you can see the Fix in the list of available Fixes, can you try to select it and apply it to your installation?

Regards,
Holger