0

we have built a Docker image using Open Liberty webprofile 8 and currently the HTTPS outbound calls to salesforce API are failing and from the log it seems that TLSV1 is only enabled and from all the reading it seems TLSV1.2 is needed to be enabled. I am very new to Open Linberty and I dont know how to do it. In My Server.xml file I have following entry:-

<keyStore id="defaultKeyStore" password="Liberty"/>

<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/>

But even after that I am getting below error and the HTTPS call is failing:-

phx.salesforceliveagent.com/136.147.100.1:443 with timeout 0
2019-04-29T23:05:08.840527853Z 2019-04-29 23:05:08.839 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Enabled protocols: [TLSv1]
2019-04-29T23:05:08.848027084Z 2019-04-29 23:05:08.845 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Enabled cipher suites:[SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
2019-04-29T23:05:08.852594802Z 2019-04-29 23:05:08.851 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Starting handshake
2019-04-29T23:05:08.905209219Z [err] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2019-04-29T23:05:09.063121768Z [err]    at com.ibm.jsse2.k.a(k.java:42)
2019-04-29T23:05:09.067062984Z [err]    at com.ibm.jsse2.k.a(k.java:37)
2019-04-29T23:05:09.098532614Z [err]    at com.ibm.jsse2.av.b(av.java:549)
2019-04-29T23:05:09.101687527Z [err]    at com.ibm.jsse2.av.a(av.java:715)

I am not sure how to fix this handshake_failure issue? Any help?

UPDATE 04/30/2019:--RESOLVED:- The dev team fixed the code on there end to make sure to force the TSLv1.2 and that fixed the issue for us for now. Thank you to Alasdair for the idea on creating jvm.options file and creating the environment variables for setting to TLSv1.2 in case if someone else struggles in future could give that shot.

UPDATE 05.01/2019--> Alasdir and Brian S Paskin from IBM also helped me with the jvm.options file and it should look like this:-

-Dhttps.protocols=TLSv12
-Djdk.tls.client.protocols=TLSv12
-Dhttps.protocols=TLSv12
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12

In case if anyone wants to go this route.

user42012
  • 722
  • 12
  • 33
  • Can you add the Java version you are using? The first line of your console.log output will be sufficient. Or the java version from messages.log – Alasdair Apr 30 '19 at 01:23
  • I can't tell from the stack if Liberty's SSL configuration is being used or not. If it is being used then setting sslProtocol to "TLSv1.2" may help. If Liberty's SSL configuration is not being used for this connection then try setting the system property jdk.tls.client.protocols to "TLSv1.2". You can find more info on that here https://www-01.ibm.com/support/docview.wss?uid=nas8N1022279 – Alaine Apr 30 '19 at 01:35
  • thank you Alaine, I read somewhere that I can use those client ENV variables in server.env with the values you mentioned but I am not sure where to copy this server.env file should be same place as server.xml? I am creating a docker image so I need to knw the location for copying the file which contains these system properties/env variables which can reside in server.env file? – user42012 Apr 30 '19 at 01:45
  • ty Alasdair, we are using Java 8 which come default I think with the Open Liberty:webProfile8 Docker image – user42012 Apr 30 '19 at 01:46
  • RESOLVED:- The dev team fixed the code on there end to make sure to force the TSLv1.2 and that fixed the issue for us for now. Thank you to Alasdair for the idea on creating jvm.options file and creating the environment variables for setting to TLSv1.2 in case if someone else struggles in future could give that shot. – user42012 Apr 30 '19 at 17:31

1 Answers1

1

For anyone stumbling over this question and the included answer, there is a type in the answer. A dot is missing, which will disable all TLS communications (depending on your JDK/JRE).

-Dhttps.protocols=TLSv1.2
-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.protocols=TLSv1.2
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv1.2

If you do not want to disable TLSv1.1 for legacy servers, you can use this:

-Dhttps.protocols=TLSv1.2,TLSv1.1
-Djdk.tls.client.protocols=TLSv1.2,TLSv1.1
-Dhttps.protocols=TLSv1.2,TLSv1.1
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv1.2,TLSv1.1

The last setting is especially important on IBM J9 VMs and Eclipse OpenJ9 VMs. You can get those from adoptopenjdk.net (just in case you wonder).

Benjamin Marwell
  • 1,173
  • 1
  • 13
  • 36