Skip to main content

Use TLSv1.2 and deactivate TLSv1 and TLSv1.1

By Dinesh
Recently, I got in to a situation where my customer web service deactivated TLSv1 and TLSv1.1 protocol.

Eventually, my application client that used to interact with Server started receiving below error in hand-shake

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 

After analysis I found out that my application runs on JDK 1.5 that only supports TLSv1.

To replicate this scenario, I deployed web-service in tomcat  and made my tomcat to accept only TLSv1.2 protocol. This can be done by changing server.xml as follows:

<Connector ... SSLEnabled="true" sslProtocols="TLSv1.2" sslEnabledProtocols = "TLSv1.2" />

***Please note that it depends upon tomcat version to use which either of sslProtocols or sslEnabledProtocols attribute


Now when I ran my usual client application it received handshake failure as Client did Hello with TLSv1, while my server was not ready to accept it.

Possible solutions to update client were :

  • Update my application to JDK 8 , as it uses TLSv1.2 as default protocol. 
  • Update my application to JDK (, say 7) that supports TLSv1.2 protocol. Then set following system properties in client code.

System.setProperty("https.protocols","TLSv1.2");
System.setProperty("deployment.security.TLSv1", "false");
System.setProperty("deployment.security.TLSv1.2", "true");
System.setProperty("deployment.security.TLSv1.1", "false");
  
*** But  I noticed hat these properties work when my code was making normal URL Connections
  • My application was making SOAP call to server to using 2nd option actually didn't worked in my case. Client that my application has is using AXIS 1.4 code to invoke SOAP service. I explored possible solution to do in this case:
    • To write my class as follows :
public class TrustAllSSLSocketFactory extends JSSESocketFactory implements SecureSocketFactory {

public TrustAllSSLSocketFactory(Hashtable attributes) {

super(attributes);

}



@Override

protected void initFactory() throws IOException {



try {

SSLContext context = getContext();

sslFactory = context.getSocketFactory();

} catch (Exception e) {

if (e instanceof IOException) {

throw (IOException) e;

}

throw new IOException(e.getMessage());

}

}

protected SSLContext getContext() throws Exception {

/*String keystoreFile = (String) attributes.get("keystore");
String keystoreType = (String) attributes.get("keystoreType");
String keyPass = (String) attributes.get("keypass");

String protocol = (String) attributes.get("protocol");
 String algorithm = (String) attributes.get("algorithm");

 if(keystoreFile != null && keystorePass != null)
  KeyStore kstore = initKeyStore(keystoreFile, keystorePass);

com.sun.net.ssl.KeyManagerFactory kmf = com.sun.net.ssl.KeyManagerFactory.getInstance(algorithm);

kmf.init(kstore, keystorePass.toCharArray());


com.sun.net.ssl.TrustManager[] tm = null;

com.sun.net.ssl.TrustManagerFactory tmf = com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
tmf.init(kstore);
tm = tmf.getTrustManagers();

SSLContext context = SSLContext.getInstance(protocol); 

context.init(kmf.getKeyManagers(), tm, new java.security.SecureRandom()); */

SSLContext context = SSLContext.getInstance("TSLv1.2"); 

context.init(null, null, null);
return context;

}

}

Updated client code to set following properties

AxisProperties.setClassOverrideProperty(TrustAllSSLSocketFactory.class,"axis.socketFactory");
AxisProperties.setClassDefault(TrustAllSSLSocketFactory.class,"org.apache.axis.components.net.DefaultSocketFactory");
AxisProperties.setClassOverrideProperty(TrustAllSSLSocketFactory.class,"axis.socketSecureFactory");
AxisProperties.setClassDefault(TrustAllSSLSocketFactory.class,"org.apache.axis.components.net.JSSESocketFactory");
AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory", TrustAllSSLSocketFactory.class.getName());

    • Other solution is to use SunJSSESocketFactory by  setting following properties:

AxisProperties.setClassOverrideProperty(SunJSSESocketFactory.class,"axis.socketFactory"); AxisProperties.setClassDefault(SunJSSESocketFactory.class,"org.apache.axis.components.net.DefaultSocketFactory"); AxisProperties.setClassOverrideProperty(SunJSSESocketFactory.class,"axis.socketSecureFactory"); AxisProperties.setClassDefault(SunJSSESocketFactory.class,"org.apache.axis.components.net.JSSESocketFactory"); AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory", SunJSSESocketFactory.class.getName()); 

Service service = new Service();
Call call = (Call) service.createCall();
 ....
 Hashtable hashtable = new Hashtable<>(); 
hashtable.put("protocol", "TLSv1.2"); 
hashtable.put("keystore",""); 
MyRequestHandler handler = new MyRequestHandler(); 
handler.setOptions(hashtable); 
call.setClientHandlers(handler, null); 
 ... 

 class MyRequestHandler extends HTTPSender{ 

  @Override 
 public void setOptions(Hashtable opts) {
 Hashtable t = super.getOptions(); 
 for(Srting t : opts)

 t.put("key", "value"); 
 } 
super.setOptions(t); 
 }
 }




Comments

  1. satveer singh mechuNovember 24, 2015 at 5:25 AM

    Great Post

    This Resolved my problem also, i was struggling long time

    ReplyDelete
    Replies
    1. DineshNovember 25, 2015 at 1:29 AM

      Thank you @Satveer. Nice to hear back from you.

      Delete
  2. kumar anupamJune 24, 2016 at 2:45 AM

    Hi All

    I have tried the above code change in application side but still i am getting exception saying that "java.io.IOException: TSLv1.1 SSLContext not available". I tried with 1.2 as well as 1.1, i am getting same error.

    Is there any way to get out of this exception. Please suggest

    Thanks,
    Anupam

    ReplyDelete
  3. kumar anupamJune 24, 2016 at 2:52 AM

    Hi All

    I have tried the above code change in application side but still i am getting exception saying that "java.io.IOException: TSLv1.1 SSLContext not available". I tried with 1.2 as well as 1.1, i am getting same error.

    Is there any way to get out of this exception. Please suggest

    Thanks,
    Anupam

    ReplyDelete
  4. UnknownSeptember 9, 2016 at 11:10 AM

    Great post. This solved the problem we were facing with outbound SSL connections of Axis1.4 frame work from weblogic 10.3.6 server. we went with the "TrustAllSSLSocketFactory" solution.
    Once this code gets initialized during an Axis outbound call, it applies to all future Axis connections,which is good. we didn't need to change all outbound Axis calls. put this code in a static block and invoked a web service cal after that. then all looked good.


    One small typo in the code though :)

    SSLContext context = SSLContext.getInstance("TSLv1.2");

    should be:

    SSLContext context = SSLContext.getInstance("TLSv1.2");

    ReplyDelete
  5. subaSeptember 8, 2017 at 9:46 AM

    TrustAllSSLSocketFactory is not working for me .i am getting SocketException:connection reset

    ReplyDelete
  6. UnknownJune 13, 2018 at 4:45 AM

    I have tried above enforcing TLSv1.2 approach on AXIS client and it worked. Thank you.

    ReplyDelete

Post a Comment

Popular posts

Read from a hive table and write back to it using spark sql

By Dinesh
In context to Spark 2.2 - if we read from an hive table and write to same, we get following exception- scala > dy . write . mode ( "overwrite" ). insertInto ( "incremental.test2" ) org . apache . spark . sql . AnalysisException : Cannot insert overwrite into table that is also being read from .; org . apache . spark . sql . AnalysisException : Cannot insert overwrite into table that is also being read from .; 1. This error means that our process is reading from same table and writing to same table. 2. Normally, this should work as process writes to directory .hiveStaging... 3. This error occurs in case of saveAsTable method, as it overwrites entire table instead of individual partitions. 4. This error should not occur with insertInto method, as it overwrites partitions not the table. 5. A reason why this happening is because Hive table has following Spark TBLProperties in its definition. This problem will solve for insertInto met
Post a Comment
Read more




Hive Parse JSON with Array Columns and Explode it in to Multiple rows.

By Dinesh
 Say we have a JSON String like below -  { "billingCountry":"US" "orderItems":[       {          "itemId":1,          "product":"D1"       },   {          "itemId":2,          "product":"D2"       }    ] } And, our aim is to get output parsed like below -  itemId product 1 D1 2 D2   First, We can parse JSON as follows to get JSON String get_json_object(value, '$.orderItems.itemId') as itemId get_json_object(value, '$.orderItems.product') as product Second, Above will result String value like "[1,2]". We want to convert it to Array as follows - split(regexp_extract(get_json_object(value, '$.orderItems.itemId'),'^\\["(.*)\\"]$',1),'","') as itemId split(regexp_extract(get_json_object(value, '$.orderItems.product'),'^\\["(.*)\\"]$',1),&
Post a Comment
Read more




Caused by: java.lang.UnsupportedOperationException: org.apache.parquet.column.values.dictionary.PlainValuesDictionary$PlainIntegerDictionary

By Dinesh
Exception -  Caused by: java.lang.UnsupportedOperationException: org.apache.parquet.column.values.dictionary.PlainValuesDictionary$PlainIntegerDictionary at org.apache.parquet.column.Dictionary.decodeToBinary(Dictionary.java:44) at org.apache.spark.sql.execution.vectorized.ColumnVector.getUTF8String(ColumnVector.java:645) at org.apache.spark.sql.catalyst.expressions.GeneratedClass$GeneratedIterator.processNext(Unknown Source) Analysis - This might occur because of data type mismatch between Hive Table & written Parquet file. Solution - Correct the data type to match between Hive Table & Parquet
Post a Comment
Read more




Hadoop Distcp Error Duplicate files in input path

By Dinesh
  One may face following error while copying data from one cluster to other, using Distcp  Command: hadoop distcp -i {src} {tgt} Error: org.apache.hadoop.toolsCopyListing$DulicateFileException: File would cause duplicates. Ideally there can't be same file names. So, what might be happening in your case is you trying to copy partitioned table from one cluster to other. And, 2 different named partitions have same file name. Your solution is to correct Source path  {src}  in your command, such that you provide path uptil partitioned sub directory, not the file. For ex - Refer below : /a/partcol=1/file1.txt /a/partcol=2/file1.txt If you use  {src}  as  "/a/*/*"  then you will get the error  "File would cause duplicates." But, if you use  {src}  as  "/a"  then you will not get error in copying.
Post a Comment
Read more




org.apache.spark.sql.AnalysisException: Cannot overwrite a path that is also being read from.;

By Dinesh
  Caused by: org.apache.spark.sql.AnalysisException: Cannot overwrite a path that is also being read from.; at org.apache.spark.sql.execution.command.DDLUtils$.verifyNotReadPath(ddl.scala:906) at org.apache.spark.sql.execution.datasources.DataSourceAnalysis$$anonfun$apply$1.applyOrElse(DataSourceStrategy.scala:192) at org.apache.spark.sql.execution.datasources.DataSourceAnalysis$$anonfun$apply$1.applyOrElse(DataSourceStrategy.scala:134) at org.apache.spark.sql.catalyst.trees.TreeNode$$anonfun$2.apply(TreeNode.scala:267) at org.apache.spark.sql.catalyst.trees.TreeNode$$anonfun$2.apply(TreeNode.scala:267) at org.apache.spark.sql.catalyst.trees.CurrentOrigin$.withOrigin(TreeNode.scala:70) at org.apache.spark.sql.catalyst.trees.TreeNode.transformDown(TreeNode.scala:266) at org.apache.spark.sql.catalyst.trees.TreeNode.transform(TreeNode.scala:256) at org.apache.spark.sql.execution.datasources.DataSourceAnalysis.apply(DataSourceStrategy.scala:134) at org.apache.spark.sql.execution.datasource
Post a Comment
Read more