SSL handshake failed: A potential protocol version downgrade attack happens when connecting to MSSQL server

SSL handshake failed: A potential protocol version downgrade attack happens when connecting to MSSQL server

book

Article ID: KB0073088

calendar_today

Updated On:

Products Versions
TIBCO ActiveMatrix BusinessWorks Plug-in for Database 7.2

Description

When connecting to the Microsoft SQL server that has SSL encryption enabled, the below error might happen:
================================================
AEADB-800064: Connection test failed.
([tibcosoftwareinc][SQLServer JDBC Driver]SSL handshake failed: A potential protocol version downgrade attack)
================================================
This issue is seen on TRA 5.10.3 because the TIBCOJRE has been upgraded to release 1.8.0_281 in this release.

Issue/Introduction

SSL handshake failed: A potential protocol version downgrade attack happens when connecting to MSSQL server

Environment

Product: TIBCO ActiveMatrix BusinessWorks Plug-in for Database Version: 7.2 Product: TIBCO Runtime Agent (TRA) Version: 5.10.3 OS: All Supported Operating Systems

Resolution

When checking the SSL log, the client sends out a ClientHello like below:
==========================================================
"ClientHello": {
  "client version"      : "TLSv1.2",
......
  "extensions"          : [
......
    "supported_versions (43)": {
      "versions": [TLSv1.2, TLSv1.1, TLSv1, SSLv2Hello]
    }
  ]
}
==========================================================

The returned ServerHello is like below:
==========================================================
"ServerHello": {
  "server version"      : "TLSv1.1",
......
}
==========================================================

The ClientHello version is "TLSv1.2", while the ServerHello version is "TLSv1.1". This mismatch caused the error "A potential protocol version downgrade attack".

To resolve this issue, the user could add "CryptoProtocolVersion=TLSv1.2" to the TIBCO driver JDBC connection URL. After adding this property, the ClientHello is like below:
==========================================================
"ClientHello": {
  "client version"      : "TLSv1.2",
......
  "extensions"          : [
......
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    }
  ]
}
==========================================================

The ServerHello is like below:
==========================================================
"ServerHello": {
  "server version"      : "TLSv1.2",
......
}
==========================================================

Since both versions are "TLSv1.2" now, the connection will succeed.