SSL handshake failed: A potential protocol version downgrade attack happens when connecting to MSSQL server
Article ID: KB0073088
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks Plug-in for Database | 7.2 |
Description
When connecting to the Microsoft SQL server that has SSL encryption enabled, the below error might happen:
================================================
AEADB-800064: Connection test failed.
([tibcosoftwareinc][SQLServer JDBC Driver]SSL handshake failed: A potential protocol version downgrade attack)
================================================
This issue is seen on TRA 5.10.3 because the TIBCOJRE has been upgraded to release 1.8.0_281 in this release.
================================================
AEADB-800064: Connection test failed.
([tibcosoftwareinc][SQLServer JDBC Driver]SSL handshake failed: A potential protocol version downgrade attack)
================================================
This issue is seen on TRA 5.10.3 because the TIBCOJRE has been upgraded to release 1.8.0_281 in this release.
Issue/Introduction
SSL handshake failed: A potential protocol version downgrade attack happens when connecting to MSSQL server
Environment
Product: TIBCO ActiveMatrix BusinessWorks Plug-in for Database
Version: 7.2
Product: TIBCO Runtime Agent (TRA)
Version: 5.10.3
OS: All Supported Operating Systems
Resolution
When checking the SSL log, the client sends out a ClientHello like below:
==========================================================
"ClientHello": {
"client version" : "TLSv1.2",
......
"extensions" : [
......
"supported_versions (43)": {
"versions": [TLSv1.2, TLSv1.1, TLSv1, SSLv2Hello]
}
]
}
==========================================================
The returned ServerHello is like below:
==========================================================
"ServerHello": {
"server version" : "TLSv1.1",
......
}
==========================================================
The ClientHello version is "TLSv1.2", while the ServerHello version is "TLSv1.1". This mismatch caused the error "A potential protocol version downgrade attack".
To resolve this issue, the user could add "CryptoProtocolVersion=TLSv1.2" to the TIBCO driver JDBC connection URL. After adding this property, the ClientHello is like below:
==========================================================
"ClientHello": {
"client version" : "TLSv1.2",
......
"extensions" : [
......
"supported_versions (43)": {
"versions": [TLSv1.2]
}
]
}
==========================================================
The ServerHello is like below:
==========================================================
"ServerHello": {
"server version" : "TLSv1.2",
......
}
==========================================================
Since both versions are "TLSv1.2" now, the connection will succeed.
==========================================================
"ClientHello": {
"client version" : "TLSv1.2",
......
"extensions" : [
......
"supported_versions (43)": {
"versions": [TLSv1.2, TLSv1.1, TLSv1, SSLv2Hello]
}
]
}
==========================================================
The returned ServerHello is like below:
==========================================================
"ServerHello": {
"server version" : "TLSv1.1",
......
}
==========================================================
The ClientHello version is "TLSv1.2", while the ServerHello version is "TLSv1.1". This mismatch caused the error "A potential protocol version downgrade attack".
To resolve this issue, the user could add "CryptoProtocolVersion=TLSv1.2" to the TIBCO driver JDBC connection URL. After adding this property, the ClientHello is like below:
==========================================================
"ClientHello": {
"client version" : "TLSv1.2",
......
"extensions" : [
......
"supported_versions (43)": {
"versions": [TLSv1.2]
}
]
}
==========================================================
The ServerHello is like below:
==========================================================
"ServerHello": {
"server version" : "TLSv1.2",
......
}
==========================================================
Since both versions are "TLSv1.2" now, the connection will succeed.
Feedback
Yes
No
Powered by
