This discussion is archived
1 Reply Latest reply: Aug 21, 2013 11:18 PM by Faisal Khan RSS

SSL handshake error towards server using only TLSv1

user8784201 Newbie
Currently Being Moderated

One of the services we utilize has changed their server to only utilize TLSv1, and not the usual SSLv3/TLSv1 combo. Our weblogic (10.3.5) server doesn't find this aggreeable at all, throwing the following debug stack trace:

 

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550844> <BEA-000000> <Filtering JSSE SSLSocket>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550844> <BEA-000000> <SSLIOContextTable.addContext(ctx): 687885832>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550844> <BEA-000000> <SSLSocket will  be Muxing>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550844> <BEA-000000> <write SSL_20_RECORD>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550904> <BEA-000000> <687885597 SSL3/TLS MAC>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550904> <BEA-000000> <687885597 received ALERT>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550904> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40

java.lang.Exception: New alert stack

  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)

  at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)

  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)

  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)

  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)

  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)

  at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)

  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)

  at com.certicom.tls.record.WriteHandler.write(Unknown Source)

  at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)

  at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)

  at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

  at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)

  at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:162)

  at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:267)

  at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.setRequestPayload(HttpOutboundMessageContext.java:278)

  at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOutboundMessageContext.java:314)

  at com.bea.wli.sb.transports.http.wls.HttpTransportProvider.sendMessageAsync(HttpTransportProvider.java:211)

  at sun.reflect.GeneratedMethodAccessor1092.invoke(Unknown Source)

  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

  at java.lang.reflect.Method.invoke(Method.java:597)

  at com.bea.wli.sb.transports.Util$1.invoke(Util.java:83)

  at $Proxy126.sendMessageAsync(Unknown Source)

  at com.bea.wli.sb.transports.LoadBalanceFailoverListener.sendMessageAsync(LoadBalanceFailoverListener.java:148)

  at com.bea.wli.sb.transports.LoadBalanceFailoverListener.sendMessageToServiceAsync(LoadBalanceFailoverListener.java:603)

  at com.bea.wli.sb.transports.LoadBalanceFailoverListener.sendMessageToService(LoadBalanceFailoverListener.java:538)

  at com.bea.wli.sb.transports.TransportManagerImpl.sendMessageToService(TransportManagerImpl.java:558)

  at com.bea.wli.sb.transports.TransportManagerImpl.sendMessageAsync(TransportManagerImpl.java:426)

  at com.bea.wli.sb.pipeline.PipelineContextImpl.doDispatch(PipelineContextImpl.java:670)

  at com.bea.wli.sb.pipeline.PipelineContextImpl.dispatchSync(PipelineContextImpl.java:551)

  at stages.transform.runtime.WsCalloutRuntimeStep$WsCalloutDispatcher.dispatch(WsCalloutRuntimeStep.java:1391)

  at stages.transform.runtime.WsCalloutRuntimeStep.processMessage(WsCalloutRuntimeStep.java:236)

  at com.bea.wli.sb.stages.StageMetadataImpl$WrapperRuntimeStep.processMessage(StageMetadataImpl.java:346)

  at com.bea.wli.sb.stages.impl.SequenceRuntimeStep.processMessage(SequenceRuntimeStep.java:33)

  at stages.transform.runtime.IfThenElseRuntimeStep.processMessage(IfThenElseRuntimeStep.java:86)

  at com.bea.wli.sb.stages.StageMetadataImpl$WrapperRuntimeStep.processMessage(StageMetadataImpl.java:346)

  at com.bea.wli.sb.stages.impl.SequenceRuntimeStep.processMessage(SequenceRuntimeStep.java:33)

  at com.bea.wli.sb.pipeline.PipelineStage.processMessage(PipelineStage.java:84)

  at com.bea.wli.sb.pipeline.PipelineContextImpl.execute(PipelineContextImpl.java:1055)

  at com.bea.wli.sb.pipeline.Pipeline.processMessage(Pipeline.java:141)

  at com.bea.wli.sb.pipeline.PipelineContextImpl.execute(PipelineContextImpl.java:1055)

  at com.bea.wli.sb.pipeline.PipelineNode.doRequest(PipelineNode.java:55)

  at com.bea.wli.sb.pipeline.Node.processMessage(Node.java:67)

  at com.bea.wli.sb.pipeline.PipelineContextImpl.execute(PipelineContextImpl.java:1055)

  at com.bea.wli.sb.pipeline.Router.processMessage(Router.java:214)

  at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:96)

  at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)

  at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)

  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

  at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)

  at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:590)

  at com.bea.wli.sb.transports.TransportManagerImpl.receiveMessage(TransportManagerImpl.java:375)

  at com.bea.wli.sb.transports.http.generic.RequestHelperBase.invokePipeline(RequestHelperBase.java:179)

  at com.bea.wli.sb.transports.http.wls.HttpTransportServlet$RequestHelperWLS.invokePipeline(HttpTransportServlet.java:227)

  at com.bea.wli.sb.transports.http.generic.RequestHelperBase$1.run(RequestHelperBase.java:154)

  at com.bea.wli.sb.transports.http.generic.RequestHelperBase$1.run(RequestHelperBase.java:152)

  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

  at com.bea.wli.sb.transports.http.generic.RequestHelperBase.securedInvoke(RequestHelperBase.java:151)

  at com.bea.wli.sb.transports.http.generic.RequestHelperBase.service(RequestHelperBase.java:107)

  at com.bea.wli.sb.transports.http.wls.HttpTransportServlet.service(HttpTransportServlet.java:129)

  at weblogic.servlet.FutureResponseServlet.service(FutureResponseServlet.java:24)

  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)

  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)

  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)

  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)

  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)

  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3717)

  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)

  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)

  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)

  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)

  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)

  at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550905> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@29005fdb>

####<Aug 20, 2013 1:19:10 PM CEST> <Warning> <Security> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550906> <BEA-090497> <HANDSHAKE_FAILURE alert received from www401.abbext.com - 109.108.152.67. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings.>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550906> <BEA-000000> <close(): 687885588>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550906> <BEA-000000> <close(): 687885588>

####<Aug 20, 2013 1:19:10 PM CEST> <Debug> <SecuritySSL> <prdorafm05> <osb_server1> <[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <799e23074c976b9f:31f5c036:14095ee3bbb:-8000-000000000011c23b> <1376997550906> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 687885832>

 

A bit of investigation has led me to believe the error happens because the server no longer accepts the SSLv2Hello handshake (which I understand that Weblogic uses). To back up this assumption, OpenSSL 0.9.8 exhibits the same behaviour (handshake_failure), whereas if OpenSSL 1.0.0 is used, the handshake completes fine. Also, OpenSSL 0.9.8 works flawlessly if TLSv1 is specified explicitly.

 

So, my question is: how can I force Weblogic to use the "newer" handshake? We integrate towards several different services, and we are exposing SSL-protected services ourselves, so switching Weblogic to use only TLSv1 is a potentially very disruptive change. However, if there is a way to make it use a handshake that this particular service will accept, that would be great.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points