webMethods 9.10 TLS 1.2 configuration problem

,
#1

We tested version 9.10 ,JDK 1.8, send message by TN use TLS 1.2 protocol, send failure, according to Alert Fatal: handshake failure;
When using TLS 1.0 protocol, can correct to send and receive messages. Who know where is wrong?

Extended Setting:

watt.config.systemProperties=javax.net.debug=ssl
watt.net.jsse.client.enabledCipherSuiteList=default
watt.net.jsse.client.enabledProtocols=TLSv1.2
watt.net.jsse.server.enabledCipherSuiteList=default
watt.net.jsse.server.enabledProtocols=TLSv1.2
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.strongcipheronly=false
watt.net.ssl.server.cipherSuiteList=default
watt.net.ssl.server.strongcipheronly=false
watt.net.ssl.client.handshake.minVersion=tls
watt.ssl.iaik.debug=true
watt.net.ssl.client.useJSSE=true

Debug logs:

INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Starting handshake (iSaSiLk 3.03)…
INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Remote client:10.147.139.137:443, Timestamp:Tue Apr 18 14:30:39 CST 2017
INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Sending secure renegotiation cipher suite
INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Sending v3 client_hello message, requesting version 3.1…
INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Received alert message: Alert Fatal: handshake failure
INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure
INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Shutting down SSL layer…
INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Closing transport…

INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, received EOFException: error
INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, WRITE: TLSv1.2 Alert, length = 2
INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, called closeSocket()
INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, called close()
INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, called closeInternal(true)

1 Like
#2

Sounds like certificate issue to me. Make sure if required keys (public key) added to keystores/truststores

#3

Hello Sherry,

From the error message it looks like your target system is not accepting TLS1.2

Can you please check once?

Thanks,
Yogesh

#4

Hi,

please note that TLS v1.1 and TLS v1.2 are only available when using JSSE for inbound or outbound connections.

When JSSE is not used only TLS v1.0 will be available.

This is due to the fact that the properties watt.net.ssl.client.handshake.minVersion=tls and watt.net.ssl.client.handshake.maxVersion=tls will both using TLS v1.0. The underlying Entrust library is not yet aware of the newer TLS v1.1.and TLS v1.2 protocol version.

Addnedum please check for the following wiki ariticle:
https://techcommunity.softwareag.com/pwiki/-/wiki/Main/Debugging+TLS+SSL+connections+in+Integration+Server

This explains how to debug and which versions are supported by each library (Entrust IAIK or JSSE):
https://techcommunity.softwareag.com/pwiki/-/wiki/Main/Debugging+TLS+SSL+connections+in+Integration+Server

Regards,
Holger

2 Likes
#5

Keystores/truststores configuration is correct. Because TLS1.0 can send success.

#6

Delete all settings similar to iaik, or reported the following error. Why to enable iaik?

Delivery service for 5972sa00bf6ora5m0000000q failed with a status of fail and status message of ERROR iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure

SSL logs:

INFO | jvm 5 | 2017/05/03 17:09:22 | Allow unsafe renegotiation: false
INFO | jvm 5 | 2017/05/03 17:09:22 | Allow legacy hello messages: true
INFO | jvm 5 | 2017/05/03 17:09:22 | Is initial handshake: true
INFO | jvm 5 | 2017/05/03 17:09:22 | Is secure renegotiation: false
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-Acceptor-0, setSoTimeout(60000) called
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, received EOFException: error
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, WRITE: TLSv1.2 Alert, length = 2
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, called closeSocket()
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, called close()
INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, called closeInternal(true)

Extended Settings:

watt.config.systemProperties=javax.net.debug=ssl
watt.net.jsse.client.enabledCipherSuiteList=default
watt.net.jsse.client.enabledProtocols=TLSv1.2
watt.net.jsse.server.enabledCipherSuiteList=default
watt.net.jsse.server.enabledProtocols=TLSv1.2
watt.net.ssl.client.useJSSE=true

#7