Test Data Manager

Expand all | Collapse all

SSL handshake error

  • 1.  SSL handshake error

    Posted Jun 07, 2017 02:15 AM

    Hello All,

     

    I am facing some issue druing testing services. We have created 20 URLs secured one using one .jks file over the VSE. When testing team is testing the services, then they are facing handshake issue between message broker and Lisa for some services while some services are working fine without any SSL error.

     

    Also we are not able to see any hit over the VSE or Server Console.  Can some one assist what issue can be here? we are struggling with this isske from 1 week still no luck

     

    Thanks..

    Shivam Garg



  • 2.  Re: SSL handshake error

    Posted Jun 07, 2017 05:52 AM

    Hi,

     

    If there are some secured services that are working then the issue is most likely with the client not trusting the VSE server - you should enable SSL logging at the client end and see what is being reported.

     

    Normally, ensuring that he issuing Certificate Authority (CA) and any issuing intermediate servers have their certificate trusted by the client is all that would be required, although you should also ensure that the name being used to connect to the VSE from the client matches the name present in the CN (Common Name) field of the certificate that the VSE uses. 

     

    You would not see any transactions in this sort of case, since the transport layer has not been established. Only once the SSL transport has been established would it be possible to consider sending a transaction to the VSE.

     

    For more information, please see Of SSL, SNI, Java and DevTest 



  • 3.  Re: SSL handshake error

    Posted Jun 07, 2017 06:53 AM

    Hello Dave,

     

    Do you have idea how lisa can handle NULL ciphers beacuse MB team checkd that this is happening due to over ride of ciphers to NULL ciphers?

     

    Any way Lisa can handle NULL ciphers, please?

     

    thanks...

     

    Shivam Garg



  • 4.  Re: SSL handshake error

    Posted Jun 07, 2017 07:13 AM

    Exactly which cipher are you trying to use here? Also, which version of LISA/DevTest?

     

    Dave



  • 5.  Re: SSL handshake error

    Posted Jun 07, 2017 07:20 AM

    Dave,

     

    I am not aware of exact cipher, but Message Broker team made this statement. And we are using Lisa 7.5.2 version.

     

    And in making secured URL we are using .jks file avail at VSE server.

     

    For EAX_HTTP_CLIENT11_NULL there is an override of ciphers  which only allowed NULL ciphers
    which we can see having issues while connecting to CALISA


  • 6.  Re: SSL handshake error

    Posted Jun 07, 2017 07:48 AM

    It would be most helpful to understand what ciphers your client is expecting.

     

    NULL ciphers provide message integrity only, without encryption, and are therefore disabled as they are not secure. We should attempt to enable ONLY the ones required. 



  • 7.  Re: SSL handshake error

    Posted Jun 07, 2017 08:00 AM

    Dave,

     

    These are the ciiphers expected by client SSL_RSA_WITH_NULL_SHA,SSL_RSA_WITH_NULL_MD5.

     

    Now tell me how to enable them please? It would be very very use full in bank.

     

    If you want CA case for this , I can raise it so we can set up web ex.

     

    Please help me my friend.

     

    thanks..

    Shivam Garg



  • 8.  Re: SSL handshake error

    Posted Jun 07, 2017 08:42 AM

    Dave,

     

    Hope you are looking in the way that can help us, How do I add this to the cipher suite used by LISA? 

     

    Thanks..

    Shivam Garg



  • 9.  Re: SSL handshake error

    Posted Jun 07, 2017 08:54 AM

    I’m looking – but it is NOT a LISA issue – these are disabled but Oracle in Java from every release since at least 1.4 (Java 4) because they are so insecure.

     

    So far I am finding only code-level solutions that won’t work for you.

     

    Dave.



  • 10.  Re: SSL handshake error

    Posted Jun 07, 2017 08:55 AM

    Dave,

     

    I have raised case having number 00765212, if you can check and help me.

     

    Thanks..

    Shivam Garg



  • 11.  Re: SSL handshake error
    Best Answer

    Posted Jun 07, 2017 08:58 AM
      |   view attached

    I cannot – someone will pick it up BUT there is NO SUPPORT for 7.5.2

     

    It has been out of support for a year, and no new fixes will be provided.



  • 12.  Re: SSL handshake error

    Posted Jun 07, 2017 09:14 AM

    Here is a possible java level solution. It will require you to know all of the cipher suites that you wish to use:-

     

    In the .vmoptions file for your VSE, add the following property

     

    -Dhttps.cipherSuites=SSL_RSA_WITH_DES_CBC_SHA,\
    TLS_RSA_WITH_AES_128_CBC_SHA,\
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,\
    SSL_RSA_WITH_3DES_EDE_CBC_SHA,\
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,\
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,\
    SSL_RSA_WITH_RC4_128_MD5,\
    SSL_RSA_WITH_RC4_128_SHA,\
    SSL_RSA_WITH_NULL_SHA,\
    SSL_RSA_WITH_NULL_MD5

     

    You will need to modify the entries before the final two to suit your environment. If you wish you could add these all on one line. As things are, the \ characters should be the last character on the line - there must be no spaces following the \

     

    Hopefully this will allow you to continue.

     

         Dave.



  • 13.  Re: SSL handshake error

    Posted Jun 07, 2017 09:28 AM

    Thanks Dave.

     

    Dave , I was over the VSE server using tectia but I am not able to get location .vmoptio file

     

    Do you knowa about that, please?

     

    thanks..

    Shivam



  • 14.  Re: SSL handshake error

    Posted Jun 07, 2017 09:32 AM

    the vmoptions file can be found in the bin folder under the installation.

     

    Each component has a .vmoptions file that is used to set Java level options, such as the one above. memory settings etc.



  • 15.  Re: SSL handshake error

    Posted Jun 07, 2017 09:43 AM

    Dave,

     

    I am giving detail VSE.vmoption file like this. Is this fine? if not please send me correct format to give in the file. I will do that

     

    -DLISA_LOG=LISA_VSE2_PERF.log
    -Dlisa.tmpdir=/opt/lisa/lisatmp_7.5.2
    -Xms512m
    -Xmx10240m
    -Dlisa.registry.url=tcp://APPTUVIRTUAL08B.machine.test.group:2010/Registry
    -Dlisa.vseName=tcp://APPTUPET02XX005.machine.test.group:2013/APPTUPET02XX005_PERFVSE2
    -Dlisa.vse.max.hard.errors=50
    -Dhttps.cipherSuites=SSL_RSA_WITH_DES_CBC_SHA,\
    TLS_RSA_WITH_AES_128_CBC_SHA,\
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,\
    SSL_RSA_WITH_3DES_EDE_CBC_SHA,\
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,\
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,\
    SSL_RSA_WITH_RC4_128_MD5,\
    SSL_RSA_WITH_RC4_128_SHA,\
    SSL_RSA_WITH_NULL_SHA,\
    SSL_RSA_WITH_NULL_MD5



  • 16.  Re: SSL handshake error

    Posted Jun 07, 2017 09:45 AM

    As long as you have verified all of the cipher suites, that looks sensible.



  • 17.  Re: SSL handshake error

    Posted Jun 07, 2017 09:51 AM

    Dave,

     

    To be honest , I have not verified as I am not having idea about other ciphers. I know only last two as message broker team showed me. If I am givign only last two ciphers only, will this work or not?

     

    Thanks...



  • 18.  Re: SSL handshake error

    Posted Jun 07, 2017 09:54 AM

    If you give that last two only, then these will be the ONLY two enabled. 

     

    The chances are that this will break the SSL services you already have running.



  • 19.  Re: SSL handshake error

    Posted Jun 07, 2017 09:58 AM

    thank you so much.

     

    let me take risk.



  • 20.  Re: SSL handshake error

    Posted Jun 08, 2017 02:03 AM

    Morning Dave,

     

     

    I tried the thing as you suggest. I have copy pasted all ciphers as you provided in VSEService.vmoption file and post that I restarted VSE service as well. but still they are facing SSL exception with same ciphers.

     

    any furthur advise please.

     

    thanks..

     

    Shivam Garg



  • 21.  Re: SSL handshake error

    Posted Jun 07, 2017 09:58 AM

    This document lists all of the cipher suites, and their status in various releases of Java.

    Java Cryptography Architecture Oracle ProvidersDocumentation 

     

    In the worst case, you might want to use all of the enabled suites for the relevant release, plus your additional ones. See the heading "Default Enabled Cipher Suites"