2

(I am not a Java expert but if you can provide instruction and where I need to run commands or make changes I should be fine thanks again)

We have a https client that connects to a webservice over ssl. This always works fine with Java 7. We are upgrading computer to Java 8 Update 162. Unfortunately the client is no longer able to connect to the webservice. I want to know what is causing this and how to fix it?

And the client throws the following exception:

Log SOP opened on 18/10/19 at 12:10:29:692
Log SOP is logging at level 4 at 12:10:29:692
SOP|SOP|L4|12:10:29:692|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|Logging in user 'dmdbadm'...
SOP|SOP|L4|12:10:29:739|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|Establishing connection to service order manager...
SOP|SOP|L4|12:10:29:817|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|Connection to service order manager successfully established.
SOP|SOP|L3|12:10:29:863|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|error during JRMP connection establishment; nested exception is: 
    javax.net.ssl.SSLException: Received fatal alert: unexpected_message
SOP|SOP|L4|12:10:43:826|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|Logging out user ''...
SOP|SOP|L4|12:10:43:888|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|Establishing connection to service order manager...
SOP|SOP|L4|12:10:43:950|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|Connection to service order manager successfully established.
SOP|SOP|L2|12:10:43:982|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|Error connecting to service order manager: java.lang.NullPointerException
SOP|SOP|L3|12:10:44:028|thread applet-com.nortelnetworks.wp.util.ui.WPApplet.class-1|null"
S.Mahmood
  • 129
  • 11
  • What is the server TLS version and the certificate provider? If you run with `-Djava.net.debug=all` what you will see in the logs when negotiation the encryption? – Karol Dowbecki Nov 19 '19 at 14:36
  • Hi I am not a java expert (sorry to say) where am I running -Djava.net.debug=ssl we have done some testing and found out when Java 7 is communicating with the web application is doing so via TLS 1.0 but when trying Java 8 is going through TLS 1.2 also Java 7 displays SSL 3.0 where Java 8 only shows SSL 2.0 – S.Mahmood Nov 19 '19 at 15:41

2 Answers2

1

It looks like your server is requiring SSLv3 protocol which is not secure anymore and Java 8 correctly declines the connection. Java 8 Update 31 (8u31) has disabled SSLv3 as per Java 8 Release Highlights.

You have two options:

  1. Make sure your server uses secure TLS protocol version e.g. TLSv1.1 or TLSv1.2. This is preferable as SSLv3 is no longer secure.

  2. Somehow configure Java 8 to use obsolete SSLv3. Not recommended.

Karol Dowbecki
  • 43,645
  • 9
  • 78
  • 111
  • I have tried using TLS v1.1 and TSL v1.2 - this give the error ClassNotFoundException. As this is an internal application I will try to see if I can configure Java 8 to user SSLv3 as test to see what output I get just need to know which java properties file to enable this feature. – S.Mahmood Nov 19 '19 at 16:15
  • **Update** I removed SSLv3 from jdk.tls.disableAlgorithms within the java.security file but I am wondering do I have to add code for to get to run in Java 8? – S.Mahmood Nov 19 '19 at 16:52
  • **Update** I have configured Java 8 to run SSLv3 (check via wireshark) and still get the same error message I believe the application require a handshake via SSLv1 or the first version of SSL and then will communicate fine with TLSv1 – S.Mahmood Nov 21 '19 at 14:04
  • SSLv1 is not the same as TLSv1.0, these are two different standards. – Karol Dowbecki Nov 21 '19 at 14:09
  • **Update** I managed to get the application working by disabling TLSv1, TLSv1.1 and TLS1.2 also removed Protocols from jdk.jar.disabledAlgorithms & jdk.cert.disabledAlgorithms only disabled MD2 BUT this caused problems with other applications who require to communicate at TLSv1 as minimum – S.Mahmood Nov 25 '19 at 15:15
  • What I wanted to know if it is possible to add code into the java.security file and force it use SSLv3 for a application/URL? or configure Java 8 Update 162 to that? – S.Mahmood Dec 02 '19 at 13:05
  • SSLv3 is obsolete and I don't know how to do it. – Karol Dowbecki Dec 02 '19 at 13:21
0

Apologies for the delay so I followed your advice Karol Dowbecki Java update 31 disables SSLv3 so installed Java update 25 and this fixed the issue and all the applications worked fine onn the closed network.

I do understand the SSL will need upgrading to TLS on the application side but I have no control on this as its supported by a different team.

S.Mahmood
  • 129
  • 11