We are migrating to WAS 8.5.5 and TLS 1.2 and are observing some unexpected problems.
The inputs are:
Worklight 6.1.0.1
WAS 8.5.5.9 + SDK Java 8
WAS is switched to TLS 1.2 (following this guide
https://developer.ibm.com/answers/questions/206952/how-do-i-configure-websphere-application-server-ss.html)
Application is Hybrid
When we use application via web emulator - it works fine.
When we use it from hardware device (Android or iOS) via IMC - we get exception that says
"client" uses TLS 1.1
server uses TLS 1.2
error of HTTPS handshake
It's not clear what is "client" in that case and why it uses TLS v1.1.
iOS device (iPhone) web browser is TLS 1.2 enabled - can open HTTPS links with TLS 1.2 protocol.
Here is full stack trace from SystemOut.log
[6/14/16 11:16:32:197 EDT] 000000b2 SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 not enabled or not supported
at com.ibm.jsse2.C.z(C.java:532)
at com.ibm.jsse2.ap.b(ap.java:476)
at com.ibm.jsse2.ap.c(ap.java:112)
at com.ibm.jsse2.ap.wrap(ap.java:277)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:21)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:748)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:567)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:296)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 not enabled or not supported
at com.ibm.jsse2.j.a(j.java:31)
at com.ibm.jsse2.ap.a(ap.java:11)
at com.ibm.jsse2.C.a(C.java:342)
at com.ibm.jsse2.C.a(C.java:100)
at com.ibm.jsse2.E.a(E.java:140)
at com.ibm.jsse2.E.a(E.java:813)
at com.ibm.jsse2.C.r(C.java:44)
at com.ibm.jsse2.C$b.a(C$b.java:2)
at com.ibm.jsse2.C$b.run(C$b.java:3)
at java.security.AccessController.doPrivileged(AccessController.java:686)
at com.ibm.jsse2.C$c.run(C$c.java:11)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:835)
... 8 more
I have no idea what our next steps should be.
Any help will be much appreciated.
Seems pretty clear that TLSv1.2-only is too aggressive for your clients. In terms of WAS config, "ssl_tlsv2" is probably the best you can do.
IMC was causing it. Had to configure it to start using TLS v1.2
Related
I try to connect a Shelly 1 PM smart power relay to a managed MQTT broker.
The firmware on the device is a custom-built Tasmota 8.3.1 from the dev branch with USE_MQTT_TLS enabled. The port is set correctly to 8883 for TLS and the broker service is running at mqtt.bosch-iot-hub.com
When the device boots up, I can see the log messages on the serial port as follows:
23:03:03 MQT: Connect failed to mqtt.bosch-iot-hub.com:8883, rc 4. Retry in 10 sec
23:03:14 MQT: Attempting connection...
23:03:14 MQT: TLS connection error: 0
Return Code 4 is, according to the Tasmota documentation (https://tasmota.github.io/docs/TLS/), the code for BR_ERR_BAD_VERSION
And this error constant seems to be from BearSSL and means "Incoming record version does not match the expected version." (according to http://sources.freebsd.org/HEAD/src/contrib/bearssl/tools/errors.c)
Using an online TLS testing tool and checking mqtt.bosch-iot-hub, it supports only TLS 1.2 (1.3, 1.1 and 1.0 being disabled as well as SSLv2 and SSLv3). BearSSL website states that it supports TLS 1.2
I tried setting the log level of Tasmota in my_user_config.h , but it does not log any more verbose or detailed information.
#define SERIAL_LOG_LEVEL LOG_LEVEL_DEBUG_MORE // [SerialLog] (LOG_LEVEL_NONE, LOG_LEVEL_ERROR, LOG_LEVEL_INFO, LOG_LEVEL_DEBUG, LOG_LEVEL_DEBUG_MORE)
What is the error message supposed to mean? Is it a TLS incompatibility of the BearSSL stack or on the service side?
How can I enable verbose logging on Tasmota to see detailed TLS handshake information?
Anything else I am missing?
I appreciate after 6 months the question may have been a little expired, however the error code is not the TLS one as you describe, but rather the return code for the MQTT connection, as described in
https://tasmota.github.io/docs/MQTT/#return-codes-rc
which means your error code corresponds to
4 MQTT_CONNECT_BAD_CREDENTIALS the username/password were rejected
trying to set up Queue Connection factory on WAS 7 and 8.5.5 with SSL
MQ channel cipherspec is tls_rsa_with_aes_128_cbc_sha256.
but whenever I try specifying the respective suit on WAS as ssl_rsa_with_aes_128_cbc_sha256 , I get a MQSC_UNSUPPORTED_CIPHER_SUITE.
cipher tls_rsa_with_aes_128_cbc_sha works just fine .( not SHA256 )
I have tried enabling TLSv1.2 on WAS.
tried insataling unristricted jars as well.
what am I missing ?? looking forward to hear ..
-AJ
WebSphere Application Server (WSAS) V7.0 ships the WebSphere MQ V7.0.1 JCA Resource Adapter (WMQ RA).
The V7.0.1 MQ RA does not support the TLS CipherSuite:
SSL_RSA_WITH_AES_128_CBC_SHA256
This is why your application is getting an exception with the MQ reason code, MQRC_UNSUPPORTED_CIPHER_SUITE, when using WSAS V7.0.
WSAS V8.5.5 on the other hand ships the WMQ V7.1 RA and support for the above CipherSuite was added in the V7.1.0.3 Fix Pack release. WSAS V8.5.5.2 ships the MQ V7.1.0.4 RA so this version of later should have the capability to use the SSL_RSA_WITH_AES_128_CBC_SHA256 Java CipherSuite.
I am trying to connect to a web service which is written in Java language on the server side. My program is written in VB.NET 4.0 on the client side.
When i try to call any methods from the web service I receive the following error message :
WS-Metadata Exchange Error URI: [http://...] Metadata contains a reference that cannot be resolved. The request was aborted: Could not create SSL/TLS secure channel
I am using a certificate to connect to the web service, however it seems that the problem is on the communication level between my host machine (client) and the server. The certificate i am using is never been checked as the client and the server can even not communicate.
I have tried to set the security protocol to "SSLv3" or "TLS12" but it didn't help. Thank you in advance for any suggestions.
Also i should mention that i managed to connect to this web service using a Java class. It seems that when the client side is written in Java it works but when it's in VB.NET it doesn't work.
P. HAB
EDITED :
I used "Wireshark" to discover the HTTPS packets which are sent and received by my program, here what I found in the transmitted packets :
Request by the client :
Secure Sockets Layer
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 140
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 136
Version: TLS 1.0 (0x0301)
Random
Session ID Length: 0
Cipher Suites Length: 24
Cipher Suites (12 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 71
Extension: server_name
Extension: elliptic_curves
Extension: ec_point_formats
Extension: Extended Master Secret
Extension: renegotiation_info
Response from the server :
Secure Sockets Layer
TLSv1 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
I have tried to change the security protocol to different versions of SSL/TLS but it changed nothing. My client tries to send a "Client hello" with standard values (no user-customized parameters were specified) but the server is not accepting it. Any suggestions ?
Solution found :
The problem is in fact related to the Cipher suites and specially the RC4 algorithme. Actually my client is written in VB.NET 4.0 and in this version of .NET the deprecated RC4 algorithme is still supported and proposed by the .NET framework to any Web server during the "Hello Client" (Handshake) process.
The only presence of the RC4 cipher suites in the supported list of the cipher suites by my client was making the server to abort the connection with the following error message : "The request was aborted: Could not create SSL/TLS secure channel"
So I had to deactivate the RC4 cipher suites on my client machine by going in the system registry using regedit.exe and add the following key to these two specified paths :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
"SchUseStrongCrypto"=dword:00000001
And
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319
"SchUseStrongCrypto"=dword:00000001
After restarting the client machine I was able to connect to the web service succesfully.
For more information about the deprecated RC4 algorithmes :
https://technet.microsoft.com/en-us/library/security/2960358.aspx
=> Also you should notice that this problem exists only in .NET 4.0-4.5. From the version 4.6 and above its working fine.
I do not understand the origin of this issue:
com.ibm.sslite.d: reason=2; alert=40; exception=null
It happens when i call:
int statusCode = httpClient.executeMethod(method);
It might be related to the SSL protocol and maybe websphere is quite old and incompatible.
12:56:46 [sid=] [uid=] [oid=] - ERROR com.darty.ecom.frontoffice.newespaceclient.core.service.cev.CevProxyConnection - CEV > STACK TRACE >
com.ibm.sslite.d: reason=2; alert=40; exception=null
at com.ibm.sslite.m.a(m.java:50)
at com.ibm.sslite.t.b(t.java:113)
at com.ibm.sslite.t.a(t.java:43)
at com.ibm.sslite.a.read(a.java:7)
at com.ibm.jsse.a.read(Unknown Source)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:200)
at java.io.BufferedInputStream.read(BufferedInputStream.java:218)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:77)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:105)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1115)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1373)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1832)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1590)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:995)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.darty.ecom.frontoffice.newespaceclient.core.service.cev.CevProxyConnection.executeMethod(CevProxyConnection.java:137)
the same error in the integration environmenent is a little different and says:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
That means the server-side sent a TLS alert telling you the handshake failed. (alert#40) You'll need to debug the why on the server -- maybe it requries TLS client authentication, maybe your client only uses ancient protocols/ciphers or visa versa.
I'm running into a bit of a problem with my WCF service that is trying to talk to a Java Web Service.
I have a ASP.Net MVC front end that is talking to a WCF service over HTTP. The WCF service then talks to a JAVA web service over HTTPS utilising mutual authentication of certificates. The problem currently is that I am getting the following error when the WCF service trys to call the JAVA backend:
Could not establish secure channel for SSL/TLS
On the Java side, I am running JBOSS, with SSL3 and TLS ciphers for the SSL only. The error I have on that end is:
21:49:48,701 INFO [STDOUT] http-0.0.0.0-8543-2, WRITE: TLSv1 Handshake, length = 1514
21:49:49,499 INFO [STDOUT] http-0.0.0.0-8543-2, received EOFException: error
21:49:49,499 INFO [STDOUT] http-0.0.0.0-8543-2, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
21:49:49,507 INFO [STDOUT] http-0.0.0.0-8543-2, SEND TLSv1 ALERT: fatal, description = handshake_failure
21:49:49,507 INFO [STDOUT] http-0.0.0.0-8543-2, WRITE: TLSv1 Alert, length = 2
21:49:49,507 INFO [STDOUT] http-0.0.0.0-8543-2, called closeSocket()
21:49:49,508 INFO [STDOUT] http-0.0.0.0-8543-2, called close()
As I'm using mutual authentication of certs, my first port of call was bad certificate. So I have opened up the service wsdl page (also requires authentication of cert), and everything is ok. My Certificates are fine and trusted.
I then started thinking that maybe the cert is not getting put on the service call. So I created a console app that calls the Java service with the same certifcate (looked up via an endpoint behaviour in the config file). Lo and behold, this work fine, and the service response data is shown on the screen.
So that leaves me thinking that there is something in IIS that is stopping the SSL channel being opened, and this is where I need a bit of help really.
My IIS is version 7.0 running on Windows Server 2008 R2. The service is running on .Net 4.
(One thing I should point out was that my consle app was running .Net v3.5 not v4.)
I have dabbled a bit in the SCHANNEL settings, but don't really know which settings should be enabled, and which should be disabled.
Currently I have:
TLS 1.0/Server/Enabled = 1
SSL 3.0/Server/Enabled = 1
SSL 2.0/Server/Enabled = 1
PCT 1.0/Server/Enabled = 1
I also have:
SSL 2.0/Client/DisabledByDefault = 0
Does anyone have any ideas on where to start?
Thanks in advance,
Nick
[UPDATE]
Am now getting the following error in the Windows Error Log:
A fatal error occurred when attempting to access the SSL client credential private key.
The error code returned from the cryptographic module is 0x8009030d.
The internal error state is 10003.
...but I'm not sure to resolve it. The certifcate is being picked up ok by the looks of this. it just can't get the password.
[Answered]
It turns out that the priviledges on the Certificate hadn't been set for my IIS_IUSRS account.
When I set those up, everything worked fine.