SSL handshake failed: ret=-1, reason=unsupported protocol
Article ID: KB0075687
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | 8.5.1 |
Description
From EMS 8.5.1 the support for tls 1.0 has been removed, thus there will be clients trying to connect to the EMS server that face problems while connecting to EMS over ssl, because, they be using old EMS client libraries that do not support higher than tls 1.0
On the EMS server log, we would be able to see similar log entries as per below:
2020-01-28 13:53:24.217 140706303350528:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1667:
2020-01-28 13:53:24.360 SSL handshake failed: ret=-1, reason=unsupported protocol
2020-01-28 13:53:24.360 [OpenSSL Error]: file=ossl.c, line=1393
Please note the different open SSL versions EMS support
We have noted the following
TIBCO Enterprise Message Service 8.2.0 operates with OpenSSL version 0.9.8zc.
TIBCO Enterprise Message Service 8.2.1 operates with OpenSSL version 0.9.8zd
TIBCO Enterprise Message Service 8.2.2 operates with OpenSSL version 1.0.1p.
TIBCO Enterprise Message Service 8.3.0 operates with OpenSSL version 1.0.2f.
TIBCO Enterprise Message Service 8.4.0 operates with OpenSSL version 1.0.2k.
TIBCO Enterprise Message Service 8.5.0 operates with OpenSSL version 1.0.2r.
TIBCO Enterprise Message Service 8.5.1 operates with OpenSSL version 1.1.1c
Please note the above is linked to "SSL Communication The TLSv1.0 protocol is no longer supported. " in EMS 8.5.1, so we need to make sure the client can use a TLS version 1.1 or higher
- For security reasons, EMS 8.5.1 only supports TLSv1.2 cipher suites.
- The oldest version of EMS to support TLSv1.2 (although with an older and smaller range of cipher suites than EMS 8.5.1) is EMS 8.3.0.
You can ask the client to test with EMS 8.3 libraries and see if the problem goes away, if they are not able to upgrade, then they may need to use EMS 8.5.0
A similar issue may arise as well when creating routes that use SSL, in between the mentioned EMS version
On the EMS server log, we would be able to see similar log entries as per below:
2020-01-28 13:53:24.217 140706303350528:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1667:
2020-01-28 13:53:24.360 SSL handshake failed: ret=-1, reason=unsupported protocol
2020-01-28 13:53:24.360 [OpenSSL Error]: file=ossl.c, line=1393
Please note the different open SSL versions EMS support
We have noted the following
TIBCO Enterprise Message Service 8.2.0 operates with OpenSSL version 0.9.8zc.
TIBCO Enterprise Message Service 8.2.1 operates with OpenSSL version 0.9.8zd
TIBCO Enterprise Message Service 8.2.2 operates with OpenSSL version 1.0.1p.
TIBCO Enterprise Message Service 8.3.0 operates with OpenSSL version 1.0.2f.
TIBCO Enterprise Message Service 8.4.0 operates with OpenSSL version 1.0.2k.
TIBCO Enterprise Message Service 8.5.0 operates with OpenSSL version 1.0.2r.
TIBCO Enterprise Message Service 8.5.1 operates with OpenSSL version 1.1.1c
Please note the above is linked to "SSL Communication The TLSv1.0 protocol is no longer supported. " in EMS 8.5.1, so we need to make sure the client can use a TLS version 1.1 or higher
- For security reasons, EMS 8.5.1 only supports TLSv1.2 cipher suites.
- The oldest version of EMS to support TLSv1.2 (although with an older and smaller range of cipher suites than EMS 8.5.1) is EMS 8.3.0.
You can ask the client to test with EMS 8.3 libraries and see if the problem goes away, if they are not able to upgrade, then they may need to use EMS 8.5.0
A similar issue may arise as well when creating routes that use SSL, in between the mentioned EMS version
Issue/Introduction
SSL clients not able to connect to EMS 8.5.1
Feedback
Yes
No
Powered by
