AnsweredAssumed Answered

java ssl handshake failure to authentication manager 8.4

Question asked by Luca Gilardini on Jul 10, 2020
Latest reply on Jul 10, 2020 by Luca Gilardini

Hi,

after the 8.4 upgrade (from 8.3) a java webapp cannot complete the ssl handshake,

the config should be ok, I guess that the problem is the tls1.2 strict mode on the auth manager, that I don't want disable.

I've already upgrade the java lib am-client from 8.1 to latest 8.4, but same results.

Jdk is 1.8 and US_export_policy.jar local_policy.jar are the latest avaiable, the java client try to "talk" tls1.2:

 

2020-07-10 10:05:21,260~INFO~[default task-123]~~|~[stdout]~*** ClientHello, TLSv1.2
2020-07-10 10:05:21,262~INFO~[default task-123]~~|~[stdout]~RandomCookie: GMT: 1594368321 bytes = { 114, 29, 160, 141, 74, 68, 175, 84, 223, 104, 243, 188, 253, 107, 191, 222, 96, 224, 242, 170, 74, 148, 44, 22, 46, 43, 62, 20 }
2020-07-10 10:05:21,262~INFO~[default task-123]~~|~[stdout]~Session ID: {}
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Compression Methods: { 0 }
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Extension ec_point_formats, formats: [uncompressed]
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Extension extended_master_secret
2020-07-10 10:05:21,264~INFO~[default task-123]~~|~[stdout]~***
2020-07-10 10:05:21,264~INFO~[default task-123]~~|~[stdout]~default task-123, WRITE: TLSv1.2 Handshake, length = 185
2020-07-10 10:05:21,264~INFO~[default task-123]~~|~[stdout]~default task-123, WRITE: SSLv2 client hello message, length = 179
2020-07-10 10:05:21,265~INFO~[default task-123]~~|~[stdout]~default task-123, READ: TLSv1.1 Alert, length = 2
2020-07-10 10:05:21,266~INFO~[default task-123]~~|~[stdout]~default task-123, RECV TLSv1.2 ALERT: fatal, handshake_failure
2020-07-10 10:05:21,266~INFO~[default task-123]~~|~[stdout]~default task-123, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure

 

Any ideas? May I have to use a specific cipher suite?

 

thanks in advance

 

Luca

Outcomes