Recently, I got in to a situation where my customer web service deactivated TLSv1 and TLSv1.1 protocol.
Updated client code to set following properties
Eventually, my application client that used to interact with Server started receiving below error in hand-shake
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
After analysis I found out that my application runs on JDK 1.5 that only supports TLSv1.
To replicate this scenario, I deployed web-service in tomcat and made my tomcat to accept only TLSv1.2 protocol. This can be done by changing server.xml as follows:
<Connector ... SSLEnabled="true"
sslProtocols="TLSv1.2" sslEnabledProtocols =
"TLSv1.2" />
***Please note that it depends upon tomcat version to use which either of sslProtocols or sslEnabledProtocols attribute
Now when I ran my usual client application it received handshake failure as Client did Hello with TLSv1, while my server was not ready to accept it.
Possible solutions to update client were :
- Update my application to JDK 8 , as it uses TLSv1.2 as default protocol.
- Update my application to JDK (, say 7) that supports TLSv1.2 protocol. Then set following system properties in client code.
System.setProperty("https.protocols","TLSv1.2");
System.setProperty("deployment.security.TLSv1", "false");
System.setProperty("deployment.security.TLSv1.2", "true");
System.setProperty("deployment.security.TLSv1.1", "false");
|
*** But I noticed hat these properties work when my code was making normal URL Connections
- My application was making SOAP call to server to using 2nd option actually didn't worked in my case. Client that my application has is using AXIS 1.4 code to invoke SOAP service. I explored possible solution to do in this case:
- To write my class as follows :
public class TrustAllSSLSocketFactory extends JSSESocketFactory implements SecureSocketFactory {
public TrustAllSSLSocketFactory(Hashtable attributes) {
super(attributes);
}
@Override
protected void initFactory() throws IOException {
try {
SSLContext context = getContext();
sslFactory = context.getSocketFactory();
} catch (Exception e) {
if (e instanceof IOException) {
throw (IOException) e;
}
throw new IOException(e.getMessage());
}
}
protected SSLContext getContext() throws Exception {
/*String keystoreFile = (String) attributes.get("keystore");
String keystoreType = (String) attributes.get("keystoreType");
String keyPass = (String) attributes.get("keypass");
String protocol = (String) attributes.get("protocol");
String algorithm = (String) attributes.get("algorithm");
if(keystoreFile != null && keystorePass != null)
KeyStore kstore = initKeyStore(keystoreFile, keystorePass);
com.sun.net.ssl.KeyManagerFactory kmf = com.sun.net.ssl.KeyManagerFactory.getInstance(algorithm);
kmf.init(kstore, keystorePass.toCharArray());
com.sun.net.ssl.TrustManager[] tm = null;
com.sun.net.ssl.TrustManagerFactory tmf = com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
tmf.init(kstore);
tm = tmf.getTrustManagers();
SSLContext context = SSLContext.getInstance(protocol);
context.init(kmf.getKeyManagers(), tm, new java.security.SecureRandom()); */
SSLContext context = SSLContext.getInstance("TSLv1.2");
context.init(null, null, null);
return context;
}
}
|
AxisProperties.setClassOverrideProperty(TrustAllSSLSocketFactory.class,"axis.socketFactory");
AxisProperties.setClassDefault(TrustAllSSLSocketFactory.class,"org.apache.axis.components.net.DefaultSocketFactory");
AxisProperties.setClassOverrideProperty(TrustAllSSLSocketFactory.class,"axis.socketSecureFactory");
AxisProperties.setClassDefault(TrustAllSSLSocketFactory.class,"org.apache.axis.components.net.JSSESocketFactory");
AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory", TrustAllSSLSocketFactory.class.getName());
|
- Other solution is to use SunJSSESocketFactory by setting following properties:
AxisProperties.setClassOverrideProperty(SunJSSESocketFactory.class,"axis.socketFactory");
AxisProperties.setClassDefault(SunJSSESocketFactory.class,"org.apache.axis.components.net.DefaultSocketFactory");
AxisProperties.setClassOverrideProperty(SunJSSESocketFactory.class,"axis.socketSecureFactory");
AxisProperties.setClassDefault(SunJSSESocketFactory.class,"org.apache.axis.components.net.JSSESocketFactory");
AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory", SunJSSESocketFactory.class.getName());
Service service = new Service(); Call call = (Call) service.createCall(); .... Hashtable |
Great Post
ReplyDeleteThis Resolved my problem also, i was struggling long time
Thank you @Satveer. Nice to hear back from you.
DeleteHi All
ReplyDeleteI have tried the above code change in application side but still i am getting exception saying that "java.io.IOException: TSLv1.1 SSLContext not available". I tried with 1.2 as well as 1.1, i am getting same error.
Is there any way to get out of this exception. Please suggest
Thanks,
Anupam
Hi All
ReplyDeleteI have tried the above code change in application side but still i am getting exception saying that "java.io.IOException: TSLv1.1 SSLContext not available". I tried with 1.2 as well as 1.1, i am getting same error.
Is there any way to get out of this exception. Please suggest
Thanks,
Anupam
Great post. This solved the problem we were facing with outbound SSL connections of Axis1.4 frame work from weblogic 10.3.6 server. we went with the "TrustAllSSLSocketFactory" solution.
ReplyDeleteOnce this code gets initialized during an Axis outbound call, it applies to all future Axis connections,which is good. we didn't need to change all outbound Axis calls. put this code in a static block and invoked a web service cal after that. then all looked good.
One small typo in the code though :)
SSLContext context = SSLContext.getInstance("TSLv1.2");
should be:
SSLContext context = SSLContext.getInstance("TLSv1.2");
TrustAllSSLSocketFactory is not working for me .i am getting SocketException:connection reset
ReplyDeleteplease help
DeleteI have tried above enforcing TLSv1.2 approach on AXIS client and it worked. Thank you.
ReplyDelete