TLS – Resolving Handshake Failure After Upgrade to TLSv1.2

javalinuxsslssl-certificate

I am working on a Java 1.7 application on a Linux Centos server that connects to a third party using SOAP. Everything was working, until the third party upgraded their ssl from TLSv1.1 to TLSv1.2. Now when we try call their service, we get:

javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking
https://webservices.abc.company.com: Received fatal alert:
handshake_failure

We also have another Linux Centos server, that uses the exact same code base, but it can call the SOAP service with no errors. So I have tried to compare to find any differences. The differences I can find, is that some of the directory structures are different, but the files I think are applicable are the same. For example,

/etc/httpd/conf.d/ssl.conf

Are both in the same place, and both have the same ciphers:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

They both have the same certificate issued by the third party company.

/etc/httpd/ssl/abc.crt

I have stopped the firewall.

sudo systemctl stop firewalld

Question

Do you know where else I can look, and what I can try?

Best Answer

You have to be using a version of Java that has TLS 1.2 support (I'm not sure if 1.7.0_09 falls into that boat, but I know later versions of 1.7 do) and it has to be one of the enabled protocols. This question has details on that: https://stackoverflow.com/questions/39157422/how-to-enable-tls-1-2-in-java-7

Java 1.7 has been EOL since 2015, so upgrading would probably be in the best interest to avoid future issues.

Related Solutions

Nginx – OCSP validation – unable to get local issuer certificate

Those two errors was unrelated although the error message was same.

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs.

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on; line in nginx.conf.

Here some excerpt from the documentation of ssl_stapling_verify to explain why it throws the error

Syntax: ssl_stapling_verify on | off;

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate directive.

cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt

and add ocsp-chain.crt to ssl_trusted_certificate directive.

WARNING – None of the Ciphers Specified Are Supported by the SSL Engine

As explained here you may have to set the ciphers list like this :

sslProtocols = "TLS"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_25‌6_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

The first part, ECDHE, specifies what key exchange algorithm should be used. [...]

Next up is the authentication algorithm, RSA. [...]

The bulk cipher, AES128-GCM is the main encryption algorithm and used to encrypt all the traffic. [...]

The last part, SHA256, identifies the message digest in use, which verifies the authenticity of messages.

Best Answer

Related Solutions

Nginx – OCSP validation – unable to get local issuer certificate

WARNING – None of the Ciphers Specified Are Supported by the SSL Engine

Related Topic