1

We have a web service running on JBOSS EAP7 which is behind IIS 8.5. The webservice works fine on the Internet Explorer using both http://webservice and https://webservice. We have another application running on IBM WAS 7 which consumes this web service. The application has no issues when it uses http://webservice. However the SSL handshake fails when application on WAS 7 uses https://webservice. Below is the error we are seeing in application logs.

enter image description here
Below is a ClientHello message from WAS

enter image description here
We do not see ServerHello message in the logs.
Below are the Ciphers on IIS 8.5
enter image description here
Earlier we thought that this was an issue with unmatched Ciphers but as per IBM Support, TLS_RSA_WITH_AES_128_CBC_SHA is equivalent to what is being sent in ClientHello SSL_RSA_WITH_AES_128_CBC_SHA. Also, unfortunately we do not see any errors in IIS logs or in the Event Viewer of the Server. We used MessageAnalyzer as well to capture network traffic on Server but didn't help much. Is there any way to capture SSL Handshake logs on the IIS/Server? Any other help or suggestions you could provide will be much appreciated.

slash
  • 593
  • 8
  • 16
  • 2
    _Maybe_ your IIS requires SNI, which IBM-JSSE apparently isn't sending. If you have or can get OpenSSL try `openssl s_client -connect hostname:443` both with and without `-servername hostname` (and with `-tls1` for best fidelity) (and just Q return if/when it does connect) to see if that makes the difference. – dave_thompson_085 Jun 16 '17 at 11:18
  • Please show your code. Since Stack Overflow hides the Close reason from you: *Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. Questions without a clear problem statement are not useful to other readers. See: [How to create a Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve).* – jww Jun 17 '17 at 14:55
  • @dave_thompson_085 You are right, the IIS is hosting multiple sites and expects server_name from the client. The Require SNI option is checked. Unfortunately, the site running on WAS 7 is using Java 6. SNI was introduced in later versions of Java. Is there any workaround to achieve this? – slash Jun 19 '17 at 07:49
  • (0) OracleJava/OpenJDK 6 cannot do SNI full stop, but that isn't necessarily dispositive for IBM-JSSE because IBM Java has its own cryptoproviders which I don't know details of. If you can't get any joy that way, apparent alternatives are: (1) change the server to not need SNI, perhaps by getting a multidomain cert (2) put a TLS terminator in front of IIS, or perhaps beside if this domain is always passthrough and can have a separate address, that accepts a no-SNI connection and creates a new back-end connection with SNI -- definitely Apache-httd maybe others ... – dave_thompson_085 Jun 20 '17 at 07:51
  • ... (3) put something 'behind' the client that receives or intercepts the no-SNI connection and does a new with-SNI connection to the server -- I think squid (but am not certain), or back-to-back stunnel. Good luck. – dave_thompson_085 Jun 20 '17 at 07:52

0 Answers0