search

WASdev / ci.docker.websphere-traditional

Dockerfiles for WebSphere Application Server traditional
Apache License 2.0
171 stars 192 forks source link

Websphere 9 always sending ClientHello TLSv1 for SSL handshake. How i can force to TLSv1.2 #152

Closed bvinoth186 closed 5 years ago

bvinoth186 commented 5 years ago

I'm working with websphere traditional 9.0.0.9 image and trying to create datasource to connect postgresql which is running on IBM cloud. when i try the test connection after the data source i'm receiving SSL handshake exception. SSL trace shows me that, my websphere is sending ClientHello, TLSv1 where as all the connections to the postgresql is TLS1.2 enabled.

i made the below configurations in my websphere to force TLSv1.2 communication. But it always initiate TLSv1 call.

In SSL settings, Quality of protection (QoP) settings, selected TLSv1.2 as protocal. Previously SSL_TLSv2 was selected

in Server JVM arguments added -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2

in Server, ssl.client.props propertiesfile updated com.ibm.ssl.protocol=TLSv1.2

restarted server but no luck.

I have attached the SSL trace here. Can you help me with this.

`[3/9/19 20:10:27:031 UTC] 00000087 SystemOut O WebContainer : 2, READ: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:031 UTC] 00000087 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:032 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:032 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, RECV TLSv1.2 ALERT: warning, close_notify [3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, closeInboundInternal() [3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, closeOutboundInternal() [3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, SEND TLSv1.2 ALERT: warning, description = close_notify [3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify [3/9/19 20:10:27:033 UTC] 00000087 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal() [3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal() [3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify [3/9/19 20:10:27:033 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:033 UTC] 00000087 SystemOut O WebContainer : 2, WRITE: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:034 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:038 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:038 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify [3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal() [3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal() [3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify [3/9/19 20:10:27:039 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:040 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:041 UTC] 00000086 SystemOut O WebContainer : 1, READ: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:041 UTC] 00000086 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:042 UTC] 00000086 SystemOut O WebContainer : 1, RECV TLSv1.2 ALERT: warning, close_notify [3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, closeInboundInternal() [3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, closeOutboundInternal() [3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, SEND TLSv1.2 ALERT: warning, description = close_notify [3/9/19 20:10:27:043 UTC] 00000086 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:044 UTC] 00000086 SystemOut O WebContainer : 1, WRITE: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:048 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26 [3/9/19 20:10:27:049 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:049 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify [3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal() [3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal() [3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify [3/9/19 20:10:27:050 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8 [3/9/19 20:10:27:051 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26 [3/9/19 20:10:28:893 UTC] 00000090 SystemOut O X509KeyManager passed to SSLContext.init(): need an X509ExtendedKeyManager for SSLEngine use [3/9/19 20:10:28:897 UTC] 00000090 SystemOut O SSLContextImpl: Using X509KeyManager com.ibm.jsse2.ax [3/9/19 20:10:28:897 UTC] 00000090 SystemOut O SSLContextImpl: Using X509TrustManager org.postgresql.ssl.NonValidatingFactory$NonValidatingTM [3/9/19 20:10:28:897 UTC] 00000090 SystemOut O JsseJCE: Using SecureRandom SHA2DRBG from provider IBMJCE version 1.8 [3/9/19 20:10:28:898 UTC] 00000090 SystemOut O trigger seeding of SecureRandom [3/9/19 20:10:28:942 UTC] 00000090 SystemOut O done seeding SecureRandom [3/9/19 20:10:28:946 UTC] 00000090 SystemOut O Is initial handshake: true [3/9/19 20:10:28:947 UTC] 00000090 SystemOut O Is initial handshake: true [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 [3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_GCM_SHA384 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 [3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256 [3/9/19 20:10:28:950 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 [3/9/19 20:10:28:950 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 [3/9/19 20:10:28:950 UTC] 00000090 SystemOut O %% No cached client session [3/9/19 20:10:28:951 UTC] 00000090 SystemOut O ALPNJSSEExt not initialzed for Client [3/9/19 20:10:28:951 UTC] 00000090 SystemOut O ClientHello, TLSv1 [3/9/19 20:10:28:951 UTC] 00000090 SystemOut O RandomCookie: GMT: 1535384756 bytes = { 247, 108, 226, 59, 54, 187, 101, 14, 95, 251, 73, 147, 217, 248, 218, 111, 67, 202, 92, 205, 47, 42, 141, 87, 25, 87, 2, 68 } [3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Session ID: {} [3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA] [3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Compression Methods: { 0 } [3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, secp256k1} [3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension ec_point_formats, formats: [uncompressed] [3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension extended_master_secret [3/9/19 20:10:28:953 UTC] 00000090 SystemOut O Extension server_name, server_name: [type=host_name (0), value=5a3ec84c-0eb5-49ba-899d-91a9339f02a9.d7deeff0d58745aba57fa5c84685d5b4.databases.appdomain.cloud] [3/9/19 20:10:28:953 UTC] 00000090 SystemOut O [3/9/19 20:10:28:954 UTC] 00000090 SystemOut O [write] MD5 and SHA1 hashes: len = 217 [3/9/19 20:10:28:954 UTC] 00000090 SystemOut O 0000: 01 00 00 d5 03 01 5c 84 1d b4 f7 6c e2 3b 36 bb ...........l..6. 0010: 65 0e 5f fb 49 93 d9 f8 da 6f 43 ca 5c cd 2f 2a e...I....oC..... 0020: 8d 57 19 57 02 44 00 00 2c 00 ff c0 0a c0 14 00 .W.W.D.......... 0030: 35 c0 05 c0 0f 00 39 00 38 c0 09 c0 13 00 2f c0 5.....9.8....... 0040: 04 c0 0e 00 33 00 32 c0 08 c0 12 00 0a c0 03 c0 ....3.2......... 0050: 0d 00 16 00 13 01 00 00 80 00 0a 00 0a 00 08 00 ................ 0060: 17 00 18 00 19 00 16 00 0b 00 02 01 00 00 17 00 ................ 0070: 00 00 00 00 64 00 62 00 00 5f 35 61 33 65 63 38 ....d.b...5a3ec8 0080: 34 63 2d 30 65 62 35 2d 34 39 62 61 2d 38 39 39 4c.0eb5.49ba.899 0090: 64 2d 39 31 61 39 33 33 39 66 30 32 61 39 2e 64 d.91a9339f02a9.d 00a0: 37 64 65 65 66 66 30 64 35 38 37 34 35 61 62 61 7deeff0d58745aba 00b0: 35 37 66 61 35 63 38 34 36 38 35 64 35 62 34 2e 57fa5c84685d5b4. 00c0: 64 61 74 61 62 61 73 65 73 2e 61 70 70 64 6f 6d databases.appdom 00d0: 61 69 6e 2e 63 6c 6f 75 64 ain.cloud

[3/9/19 20:10:28:955 UTC] 00000090 SystemOut O WebContainer : 5, WRITE: TLSv1 Handshake, length = 217 [3/9/19 20:10:29:485 UTC] 00000090 SystemOut O WebContainer : 5, READ: TLSv1 Alert, length = 2 [3/9/19 20:10:29:485 UTC] 00000090 SystemOut O WebContainer : 5, RECV TLSv1.2 ALERT: fatal, handshake_failure [3/9/19 20:10:29:486 UTC] 00000090 SystemOut O WebContainer : 5, called closeSocket() [3/9/19 20:10:29:486 UTC] 00000090 SystemOut O WebContainer : 5, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure [3/9/19 20:10:29:594 UTC] 00000090 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_83c02f89_19.03.09_20.10.29.512728361473924885244.txt com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection 568 [3/9/19 20:10:29:722 UTC] 00000090 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_83c02f89_19.03.09_20.10.29.7052740090681335855170.txt com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionToDataSource 1486 [3/9/19 20:10:29:727 UTC] 00000090 DSConfigurati W DSRA8201W: DataSource Configuration: DSRA8040I: Failed to connect to the DataSource jdbc/SelfService. Encountered java.sql.SQLException: SSL error: Received fatal alert: handshake_failure DSRA0010E: SQL State = 08006, Error Code = 0. java.sql.SQLException: SSL error: Received fatal alert: handshake_failure DSRA0010E: SQL State = 08006, Error Code = 0 at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42) at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435) at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94) at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192) at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) at org.postgresql.jdbc.PgConnection.(PgConnection.java:195) at org.postgresql.Driver.makeConnection(Driver.java:454) at org.postgresql.Driver.connect(Driver.java:256) at java.sql.DriverManager.getConnection(DriverManager.java:675) at java.sql.DriverManager.getConnection(DriverManager.java:258) at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:94) at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:79)`

bvinoth186 commented 5 years ago

issue is resolved after i enable TLSv1.2. I was in assumption that TLS 1.2 is already enabled

hari819 commented 4 years ago

could you please post how did u enable TLS1.2 , is it using something like this -Djdk.tls.client.protocols="TLSv1.2" ?. Where should i put it if i am running a docker image for websphere?