SSL Error : handshake alert: unrecognized_name

Maxime_Antoine · January 9, 2017, 1:02pm

Hello,

I would like to recover some data from HTTPS url.
I build a Flow Service which use “pub.client.http” to connect.
I have also add the client certificate in IS server which i had from the website.
The problem is when i execute my flow service i have this message :

[b]com.wm.app.b2b.server.ServiceException: java.io.IOException: javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name[/b]

I built an independant program in Eclipse which do the same things.
I succeeded to connect to my HTTPS url.
I have read somewhere that, we must change a properties on IS server like this :

java -Djsse.enableSNIExtension=false yourClass

But i don’t know where to change this property ? In which files ?

Somebody can help me ?

Thank you in advance.

Holger_von_Thomsen · January 9, 2017, 7:07pm

Hi Maxime,

what is your wM Version?

Which Java-Version are you running?

Additionally provide the List of Fixes appliead to IS (esp. IS_Core and SCG_Entrust).

You might be hitting a server which already suppresses SSLv3 and only allows certain TLS-levels.

Can you provide your Extended Settings like these:


watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.net.ssl.server.handshake.maxVersion=tls

Please note that TLSv1.1 and TLSv1.2 will only work with JVM 7 and newer and only when the target server port is configured to use JSSE instead of Entrust. Entrust is the default for most recent webMethods versions.

Regards,
Holger

Maxime_Antoine · January 10, 2017, 8:20am

Hello Holger,
Thanks for your reply.

My wM version (see the 2nd attachment)
My Java version : Java Version 1.8.0_91 (52.0)

My extended settings of wM server :

watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.client.cipherSuiteList=default
watt.ssl.iaik.debug=true

My port configuration (see the 1st attachment)

Holger_von_Thomsen · January 10, 2017, 1:28pm

Hi Maxime,

SCG_Entrust Fix is only visible in SUM under list of installed Fixes.

Is this an incoming or outgoing connection which is having the issue?

Regards,
Holger

Maxime_Antoine · January 10, 2017, 2:40pm

Hi Holger,
Here the list of fixes installed on wM ( see the attachment).

This is for an outgoing connection.
ListFix.txt (2.95 KB)

rmg · January 10, 2017, 3:37pm

Maxime,

By any chance in the http service did you set useJSSE to true and trying to attempt the https call?

HTH,
RMG

Maxime_Antoine · January 10, 2017, 4:56pm

Hi rmg,
Thanks for your reply.
I set value of UseJSSE at true for pub.client.http
With a basic program in java which run on my computer (no on the server) i have no problem…

Here a sample of my code :

URL url;
		String targetURL = TARGET_URL;
		System.setProperty("jsse.enableSNIExtension", "false");
        System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");  
		url = new URL(targetURL);
		KeyStore ks = KeyStore.getInstance("PKCS12");
		FileInputStream fis = new FileInputStream(CERTIFACATE_FILE);
		ks.load(fis, CERTIFACATE_PASS.toCharArray());
		KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
		kmf.init(ks, CERTIFACATE_PASS.toCharArray());
		SSLContext sc = SSLContext.getInstance("TLS");
		sc.init(kmf.getKeyManagers(), null, null);
		
		HttpsURLConnection con = (HttpsURLConnection) url.openConnection();					
		
		if (con instanceof HttpsURLConnection) {
		    ((HttpsURLConnection)con)
		         .setSSLSocketFactory(sc.getSocketFactory());
		}
		
		/*add Request header*/
		con.setRequestMethod("POST");
		con.setRequestProperty("User-Agent", USER_AGENT);
		// Send post request
		con.setDoOutput(true);	
		
		DataOutputStream wr = new DataOutputStream(con.getOutputStream());
		wr.writeBytes(URL_PARAMETERS);
		wr.flush();
		wr.close();
		
		BufferedReader in = new BufferedReader(
		        new InputStreamReader(con.getInputStream()));
		String inputLine;
		StringBuffer response = new StringBuffer();

		while ((inputLine = in.readLine()) != null) {
			response.append(inputLine);
		}

Holger_von_Thomsen · January 10, 2017, 5:25pm

Hi,

might it be that the server to which you are trying to connect to is not using JSSE for his HTTPS-Port?

The Java-Property can be added to the profiles/IS/configuration/custom_wrapper.conf to the property JAVA_CUSTOM_OPTS.

Regards,
Holger

Maxime_Antoine · January 11, 2017, 8:56am

I add JAVA_CUSTOM_OPTS in this parts of custom_wrapper.conf (see the 1st attachment), that is correct ?.
Nothing change after a restart of IS
The only i can say is with my java program when i remove this line
System.setProperty(“jsse.enableSNIExtension”, “false”); , i have the same error as on the wM Server :

Exception in thread “main” javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

My client provide me a certificate in PKCS12 format.

Holger_von_Thomsen · January 11, 2017, 3:45pm

Hi Maxime,

this one is for MWS.

There should be another one for IntegtrationServer.

Regards,
Holger

Maxime_Antoine · January 12, 2017, 2:14pm

Hi Holger,
I found the IS directory and i add JAVA_CUSTOM_OPTS but it’s change nothing

Holger_von_Thomsen · January 12, 2017, 3:19pm

Hi Maxime,

under IntegrationServer/bin there should be a setenv.{bat|sh} file.

Can you update this one too?

Regards,
Holger

Maxime_Antoine · January 12, 2017, 3:42pm

Holger,
I try to set JAVA_CUSTOM_OPTS in setenv.bat.
But still the same error

Holger_von_Thomsen · January 12, 2017, 4:17pm

Hi Maxime,

please add some double quotes around the value.

Additional question:
Are yoou running the server as application or service?

When running as a service you must update the service definition.
See Adminnistration Guide for details.

Regards,
Holger

Maxime_Antoine · January 13, 2017, 8:26am

Hi Holger
I run server as windows service.
When i want to update the service, i have this message (1st attachment).
I don’t find official documentations on how to restart application service.

Holger_von_Thomsen · January 13, 2017, 1:17pm

Hi Maxime,

please use the startup.bat under IntegrationServer/bin with parameter “-service” for updating the service definition.

Regards,
Holger

Maxime_Antoine · January 13, 2017, 4:45pm

Holger, so the command is :

startup.bat -service “servicename” update ?

Holger_von_Thomsen · January 16, 2017, 10:06am

Hi Maxime,

should be worth a try.

Can you check the IS Administrators Guide for your wM Version?

As wM 9.12 no longer has Win32-Bit Support this might have changed compared to earlier versions.

Regards,
Holger

Maxime_Antoine · January 17, 2017, 10:32am

I check documentation for my wM version 9.10. I don’t find how to update IS service …