The reason of exception “server certificate change is restricted during renegotiation” and how to fix it
Article ID: KB0074604
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks Plug-in for REST and JSON | 2.1.0 |
Description
Some customers might encounter intermittent issue when using the REST JSON plugin's “Invoke REST API” activity to invoke a load-balanced group of REST servers, the issue is like below:
===========
Activity invocation failed
caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation
Caused by: javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation
===========
This issue is due to the unsafe server certificate change in SSL/TLS renegotiations is not allowed by JDK, if the REST JSON plugin makes multiple HTTPS requests to the same server, it attempts to resume an SSL session using the session ID provided from the server. For example we can see this in the ssl debug log "Try resuming [Session-1, TLS_RSA_WITH_AES_128_GCM_SHA256] from port 52968”.
If that server doesn't have a suitable session ID, The client and the server try to renegotiate the session. During the renegotiation, The client checks to make sure the server is using the same certificate (to mitigate the TLS triple handshake attack). If that check fails, it aborts the connection and throws “server certificate change is restricted during renegotiation” exception.
For example, if REST JSON plugin is configured to invoke a load-balanced group of servers, and those servers all use different certificates, some of the certificate checks will fail, and REST JSON plugin will abort those connections.
The customers might get this issue with TRA 5.10 and above, it is because TRA 5.10 and above are bundled with JRE 1.8, and starting with JDK 1.8 u25, unsafe server certificate change in SSL/TLS renegotiations is not allowed by default. Please refer to the Oracle doc for more information. https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/tls-renegotiation-issue.html
Resolution
1. Customer can add the following recommended properties in application.tra file to allow server certificate change and unsafe renegotiation:
========
java.extended.properties=-Djdk.tls.allowUnsafeServerCertChange=true -Dsun.security.ssl.allowUnsafeRenegotiation=true
========
2. Customer can make sure all load-balanced Servers have the same Server certificates.
Issue/Introduction
Feedback
