Skip to main content

Use TLSv1.2 and deactivate TLSv1 and TLSv1.1

By Dinesh
Recently, I got in to a situation where my customer web service deactivated TLSv1 and TLSv1.1 protocol.

Eventually, my application client that used to interact with Server started receiving below error in hand-shake

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 

After analysis I found out that my application runs on JDK 1.5 that only supports TLSv1.

To replicate this scenario, I deployed web-service in tomcat  and made my tomcat to accept only TLSv1.2 protocol. This can be done by changing server.xml as follows:

<Connector ... SSLEnabled="true" sslProtocols="TLSv1.2" sslEnabledProtocols = "TLSv1.2" />

***Please note that it depends upon tomcat version to use which either of sslProtocols or sslEnabledProtocols attribute


Now when I ran my usual client application it received handshake failure as Client did Hello with TLSv1, while my server was not ready to accept it.

Possible solutions to update client were :

  • Update my application to JDK 8 , as it uses TLSv1.2 as default protocol. 
  • Update my application to JDK (, say 7) that supports TLSv1.2 protocol. Then set following system properties in client code.

System.setProperty("https.protocols","TLSv1.2");
System.setProperty("deployment.security.TLSv1", "false");
System.setProperty("deployment.security.TLSv1.2", "true");
System.setProperty("deployment.security.TLSv1.1", "false");
  
*** But  I noticed hat these properties work when my code was making normal URL Connections
  • My application was making SOAP call to server to using 2nd option actually didn't worked in my case. Client that my application has is using AXIS 1.4 code to invoke SOAP service. I explored possible solution to do in this case:
    • To write my class as follows :
public class TrustAllSSLSocketFactory extends JSSESocketFactory implements SecureSocketFactory {

public TrustAllSSLSocketFactory(Hashtable attributes) {

super(attributes);

}



@Override

protected void initFactory() throws IOException {



try {

SSLContext context = getContext();

sslFactory = context.getSocketFactory();

} catch (Exception e) {

if (e instanceof IOException) {

throw (IOException) e;

}

throw new IOException(e.getMessage());

}

}

protected SSLContext getContext() throws Exception {

/*String keystoreFile = (String) attributes.get("keystore");
String keystoreType = (String) attributes.get("keystoreType");
String keyPass = (String) attributes.get("keypass");

String protocol = (String) attributes.get("protocol");
 String algorithm = (String) attributes.get("algorithm");

 if(keystoreFile != null && keystorePass != null)
  KeyStore kstore = initKeyStore(keystoreFile, keystorePass);

com.sun.net.ssl.KeyManagerFactory kmf = com.sun.net.ssl.KeyManagerFactory.getInstance(algorithm);

kmf.init(kstore, keystorePass.toCharArray());


com.sun.net.ssl.TrustManager[] tm = null;

com.sun.net.ssl.TrustManagerFactory tmf = com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
tmf.init(kstore);
tm = tmf.getTrustManagers();

SSLContext context = SSLContext.getInstance(protocol); 

context.init(kmf.getKeyManagers(), tm, new java.security.SecureRandom()); */

SSLContext context = SSLContext.getInstance("TSLv1.2"); 

context.init(null, null, null);
return context;

}

}

Updated client code to set following properties

AxisProperties.setClassOverrideProperty(TrustAllSSLSocketFactory.class,"axis.socketFactory");
AxisProperties.setClassDefault(TrustAllSSLSocketFactory.class,"org.apache.axis.components.net.DefaultSocketFactory");
AxisProperties.setClassOverrideProperty(TrustAllSSLSocketFactory.class,"axis.socketSecureFactory");
AxisProperties.setClassDefault(TrustAllSSLSocketFactory.class,"org.apache.axis.components.net.JSSESocketFactory");
AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory", TrustAllSSLSocketFactory.class.getName());

    • Other solution is to use SunJSSESocketFactory by  setting following properties:

AxisProperties.setClassOverrideProperty(SunJSSESocketFactory.class,"axis.socketFactory"); AxisProperties.setClassDefault(SunJSSESocketFactory.class,"org.apache.axis.components.net.DefaultSocketFactory"); AxisProperties.setClassOverrideProperty(SunJSSESocketFactory.class,"axis.socketSecureFactory"); AxisProperties.setClassDefault(SunJSSESocketFactory.class,"org.apache.axis.components.net.JSSESocketFactory"); AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory", SunJSSESocketFactory.class.getName()); 

Service service = new Service();
Call call = (Call) service.createCall();
 ....
 Hashtable hashtable = new Hashtable<>(); 
hashtable.put("protocol", "TLSv1.2"); 
hashtable.put("keystore",""); 
MyRequestHandler handler = new MyRequestHandler(); 
handler.setOptions(hashtable); 
call.setClientHandlers(handler, null); 
 ... 

 class MyRequestHandler extends HTTPSender{ 

  @Override 
 public void setOptions(Hashtable opts) {
 Hashtable t = super.getOptions(); 
 for(Srting t : opts)

 t.put("key", "value"); 
 } 
super.setOptions(t); 
 }
 }




Comments

  1. satveer singh mechuNovember 24, 2015 at 5:25 AM

    Great Post

    This Resolved my problem also, i was struggling long time

    ReplyDelete
    Replies
    1. DineshNovember 25, 2015 at 1:29 AM

      Thank you @Satveer. Nice to hear back from you.

      Delete
  2. kumar anupamJune 24, 2016 at 2:45 AM

    Hi All

    I have tried the above code change in application side but still i am getting exception saying that "java.io.IOException: TSLv1.1 SSLContext not available". I tried with 1.2 as well as 1.1, i am getting same error.

    Is there any way to get out of this exception. Please suggest

    Thanks,
    Anupam

    ReplyDelete
  3. kumar anupamJune 24, 2016 at 2:52 AM

    Hi All

    I have tried the above code change in application side but still i am getting exception saying that "java.io.IOException: TSLv1.1 SSLContext not available". I tried with 1.2 as well as 1.1, i am getting same error.

    Is there any way to get out of this exception. Please suggest

    Thanks,
    Anupam

    ReplyDelete
  4. UnknownSeptember 9, 2016 at 11:10 AM

    Great post. This solved the problem we were facing with outbound SSL connections of Axis1.4 frame work from weblogic 10.3.6 server. we went with the "TrustAllSSLSocketFactory" solution.
    Once this code gets initialized during an Axis outbound call, it applies to all future Axis connections,which is good. we didn't need to change all outbound Axis calls. put this code in a static block and invoked a web service cal after that. then all looked good.


    One small typo in the code though :)

    SSLContext context = SSLContext.getInstance("TSLv1.2");

    should be:

    SSLContext context = SSLContext.getInstance("TLSv1.2");

    ReplyDelete
  5. subaSeptember 8, 2017 at 9:46 AM

    TrustAllSSLSocketFactory is not working for me .i am getting SocketException:connection reset

    ReplyDelete
  6. UnknownJune 13, 2018 at 4:45 AM

    I have tried above enforcing TLSv1.2 approach on AXIS client and it worked. Thank you.

    ReplyDelete

Post a Comment

Popular posts

Spark MongoDB Connector Not leading to correct count or data while reading

By Dinesh
  We are using Scala 2.11 , Spark 2.4 and Spark MongoDB Connector 2.4.4 Use Case 1 - We wanted to read a Shareded Mongo Collection and copy its data to another Mongo Collection. We noticed that after Spark Job successful completion. Output MongoDB did not had many records. Use Case 2 -  We read a MongoDB collection and doing count on dataframe lead to different count on each execution. Analysis,  We realized that MongoDB Spark Connector is missing data on bulk read as a dataframe. We tried various partitioner, listed on page -  https://www.mongodb.com/docs/spark-connector/v2.4/configuration/  But, none of them worked for us. Finally, we tried  MongoShardedPartitioner  this lead to constant count on each execution. But, it was greater than the actual count of records on the collection. This seems to be limitation with MongoDB Spark Connector. But,  MongoShardedPartitioner  seemed closest possible solution to this kind of situation. But, it per...
Post a Comment
Read more




Scala Spark building Jar leads java.lang.StackOverflowError

By Dinesh
  Exception -  [Thread-3] ERROR scala_maven.ScalaCompileMojo - error: java.lang.StackOverflowError [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.generic.TraversableForwarder$class.isEmpty(TraversableForwarder.scala:36) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.ListBuffer.isEmpty(ListBuffer.scala:45) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.ListBuffer.toList(ListBuffer.scala:306) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.ListBuffer.result(ListBuffer.scala:300) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.Stack$StackBuilder.result(Stack.scala:31) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.Stack$StackBuilder.result(Stack.scala:27) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.generic.GenericCompanion.apply(GenericCompanion.scala:50) [Thread-3] INFO scala_maven.ScalaCompile...
Post a Comment
Read more




MongoDB Chunk size many times bigger than configure chunksize (128 MB)

By Dinesh
  Shard Shard_0 at Shard_0/xyz.com:27018 { data: '202.04GiB', docs: 117037098, chunks: 5, 'estimated data per chunk': '40.4GiB', 'estimated docs per chunk': 23407419 } --- Shard Shard_1 at Shard_1/abc.com:27018 { data: '201.86GiB', docs: 116913342, chunks: 4, 'estimated data per chunk': '50.46GiB', 'estimated docs per chunk': 29228335 } Per MongoDB-  Starting in 6.0.3, we balance by data size instead of the number of chunks. So the 128MB is now only the size of data we migrate at-a-time. So large data size per chunk is good now, as long as the data size per shard is even for the collection. refer -  https://www.mongodb.com/community/forums/t/chunk-size-many-times-bigger-than-configure-chunksize-128-mb/212616 https://www.mongodb.com/docs/v6.0/release-notes/6.0/#std-label-release-notes-6.0-balancing-policy-changes
Post a Comment
Read more




AWS EMR Spark – Much Larger Executors are Created than Requested

By Dinesh
  Starting EMR 5.32 and EMR 6.2 you can notice that Spark can launch much larger executors that you request in your job settings. For example - We started a Spark Job with  spark.executor.cores  =   4 But, one can see that the executors with 20 cores (instead of 4 as defined by spark.executor.cores) were launched. The reason for allocating larger executors is that there is a AWS specific Spark option spark.yarn.heterogeneousExecutors.enabled (exists in EMR only, does not exist in Open Source Spark) that is set to true by default that combines multiple executor creation requests on the same node into a larger executor container. So as the result you have fewer executor containers than you expected, each of them has more memory and cores that you specified. If you disable this option (--conf "spark.yarn.heterogeneousExecutors.enabled=false"), EMR will create containers with the specified spark.executor.memory and spark.executor.cores settings and will not co...
Post a Comment
Read more




Hive Count Query not working

By Dinesh
Hive with Tez execution engine -  count(*) not working , returning 0 results.  Solution -  set hive.compute.query.using.stats=false Refer -  https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties hive.compute.query.using.stats Default Value:  false Added In: Hive 0.13.0 with  HIVE-5483 When set to true Hive will answer a few queries like min, max, and count(1) purely using statistics stored in the metastore. For basic statistics collection, set the configuration property  hive.stats.autogather   to true. For more advanced statistics collection, run ANALYZE TABLE queries.
Post a Comment
Read more