1

I have an application hosted on Tomcat that needs to reach out and make an HTTPS call to a service hosted through an IBM DataPower appliance. I am seeing the following in the logs:

http-bio-8080-exec-1, READ: TLSv1 Alert, length = 2
http-bio-8080-exec-1, RECV TLSv1 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
http-bio-8080-exec-1, called closeSocket()

The DataPower appliance does not support that cipher suite, it supports TLS_RSA_WITH_RC4_128_SHA.

So, my question is this: On an outgoing request/response from Tomcat to an outside entity, can I control the cipher suite?

Perry Hoekstra
  • 2,687
  • 3
  • 33
  • 52
  • I am able to partially answer my own question. Based on http://stackoverflow.com/questions/17555006/how-to-set-the-list-of-ciphers-and-protocols-to-be-used-for-sockets-created-by-u, I can specify the cipher suites using the https.cipherSuites system property. As pointed out, however, the downside is that this approach then becomes applicable for the entire system. – Perry Hoekstra Jan 26 '15 at 18:59

3 Answers3

0

If your application is the HTTPS client, you should be able to configure the SSL Context for the objects that make the connection, in your source code.

If you post a sample of your client code or mention what language it is written in, someone should be able to help you with that. In Java it is very easy to configure the SSL settings with an SSLContext object.

jhoule86
  • 56
  • 3
0

Sorry, I thought by implicating Tomcat, people would know it was Java. In this case, I controlled the cipher suite by entering it as part of the Tomcat startup, ie. setting a system property -https.cipherSuites="one of the cipher suites" in the /usr/sbin/tomcat7 startup script. You can find out which cipher suites are supported in this document: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

As I mentioned, the downside, the constrained set of ciphers I entered is now limiting the entire Tomcat installation. It is not a big deal in my case, it was a dedicated installation for a single purpose but I am pointing it out in case someone is reading this and has multiple applications running under their Tomcat installation.

Perry Hoekstra
  • 2,687
  • 3
  • 33
  • 52
0

If you are using httpcomponents to make the outbound call, additionally to using https.cipherSuites property, you have to call useSystemProperties() method from HttpClientBuilder:

HttpClient client = HttpClientBuilder.create()
                      .useSystemProperties()
                      .build();
client.execute(...)

Or, if you want to set this cipher suite just available to this client (it does not require https.cipherSuites property):

HttpClientBuilder.create()
    .setSSLSocketFactory(new SSLConnectionSocketFactory(
       (SSLSocketFactory) SSLSocketFactory.getDefault(), null,
       new String[] {"TLS_RSA_WITH_RC4_128_SHA"},
             SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER))
    .build();
Gonzalo Matheu
  • 8,984
  • 5
  • 35
  • 58