0

We are facing a problem and I am sure this is the right place. We have a load balancer (cisco's) and for various reasons the SSL configuration on the load balancer (the server) side is set to use "SSLv3" protocol version. Now after setting the same, when I access the load balancer in CHROME browser, I am able to access the pages but I do see the below message when I click on their security icon.

"connection had to be retried using ssl 3.0" - I looked at the packet capture using wireshark and I see that browser tries TLSv1 and receives a "fatal alert" from the server saying "protocol_version" and then immediately browser tries SSLv3 version and finishes the handshake. So browser is able to negotiate this as a client.

However when I set up a stand alone java (tried using 1.6 as well as 1.7) client from eclipse and try connecting to the server I am getting the below exception.

: Received fatal alert: protocol_version javax.net.ssl.SSLException: Received fatal alert: protocol_version

As per various documentations, I saw two options I have

  1. to set https.protocol system property to SSLv3. [this works for us, but the problem is it is affects the outbound SSL calls globally. I have another outbound SSL call to another server which does not work with SSLv3]

  2. setEnabledprotocols() - this works as well but sometimes, we dont have access to the socket directly (sometime we generates stubs using third party and the stub takes care of the low level connection stuff, so no access to that socket).

But my actual question is, If by default TLSv1/SSLv3 and SSLv2Hello(just the format I believe) are enabled in java, why is JSSE implementation not able to negotiate like how chrome browser is able to negotiate. Is this expected? If browser is doing it, I believe it should be part of some SSL RFC and if that is the case, same functionality of this "negotiation" should be provided by java itself right?

I did go through this http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/ssl/SSLSocketImpl.java and was not able to find any part for this negotiation during handshake.

Is there a possibility of issue from the server side (load balancer) that i. I see that server sends fatal alert but that being cisco I believe the ssl implementation should be perfect and that is expected. Am I wrong?

Issue happens both in java 1.6 and 1.7. Do let me know if more information would be required to answer, will be happy to help.

Rajarajan Pudupatti Sundari Je
  • 2,136
  • 1
  • 13
  • 12
  • Your certainty is misplaced. This is not a programming question but instead a hardware/software configuration issue. – KevinDTimm Nov 12 '13 at 17:42
  • hey kevin - this might not be a actual 'programming' question but it is about why java does not handle this, which is strange. I did quite some googling but dont have the right answer. The impact of this quite high. In my case, we have a payment gateway that goes through PCI certification and for various reasons we had to restrict our server to use SSLv3. Now I have many clients connecting to that server and everyone started facing the 'protcol_version' issue which gets me confused. Now the n/w guys points me to the browser and says it is able to negotiate, how come the java client doesnt? – Rajarajan Pudupatti Sundari Je Nov 12 '13 at 18:51
  • What are the 'certain reasons' the hardware is set to SSLv3? This is many years out of date. And your question would be best addressed to the Java developers. The only answers you will get here will be of the form "because that's the way it was designed" or else more or less uninformed guesswork and opinion. – user207421 Nov 12 '13 at 21:37
  • 'certain reasons' - we have payment gateway that needs take PCI ceritifcation (Payment Card Industry Data Security Standard ) and that mandates you have to use the latest of SSL/TLS. We cant user TLS1.2 and hence have to SSLv3. But the actual qs again is different. When you say best addressed to java developers, I have already posted in the oracle forums. Can you suggest any other place? – Rajarajan Pudupatti Sundari Je Nov 13 '13 at 08:35
  • The 'latest of TLS/SSL before TLS v1.2' is not SSLv3 but TLS v1.1 and before that TLS v1.0. SSLv3 is in fact the *earliest* you can go without getting major insecurities. Your question appears to be founded on a misapprehension. To correct another misapprehension, there are no java developers on the Oracle forums, with perhaps two exceptions, otherwise only volunteers. In any case the question is pointless in terms of solving your current problem. If you have a requirement, submit an RFE. – user207421 Nov 13 '13 at 22:56
  • you are totally going in the wrong direction. How is it pointless in solving my problem? My problem is asking many clients to make a change if i set SSLv3 only on the server, may it is what is expected but wanted to confirm. I understand what your are saying about SSLv3 being the earliest and stuff(thy way I put it might be wrong it is actually either use the latest of SSL or the latest of TLS so either we need to use TLSv1.2 or SSLv3) but the actual qs is from the java side why it is not able to negotiate in a way chrome! anyway let me check out what the rfe is – Rajarajan Pudupatti Sundari Je Nov 14 '13 at 06:57
  • I'm sorry but I simply don't believe you have stated or perhaps understood your requirement accurately. I would investigate that rather than waste further time on the current enquiry. – user207421 Nov 14 '13 at 10:47

0 Answers0