SSL handshake failed: ret=-1, reason=unsupported protocol

SSL handshake failed: ret=-1, reason=unsupported protocol

book

Article ID: KB0075687

calendar_today

Updated On:

Products Versions
TIBCO Enterprise Message Service 8.5.1

Description

From EMS 8.5.1 the support for tls 1.0 has been removed, thus there will be clients trying to connect to the EMS server that face problems while connecting to EMS over ssl, because, they be using old EMS client libraries that do not support higher than tls 1.0

On the EMS server log, we would be able to see similar log entries as per below:

2020-01-28 13:53:24.217 140706303350528:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1667:
2020-01-28 13:53:24.360 SSL handshake failed: ret=-1, reason=unsupported protocol
2020-01-28 13:53:24.360 [OpenSSL Error]: file=ossl.c, line=1393

Please note the different open SSL versions EMS support

We have noted the following

TIBCO Enterprise Message Service 8.2.0 operates with OpenSSL version 0.9.8zc.
TIBCO Enterprise Message Service 8.2.1 operates with OpenSSL version 0.9.8zd
TIBCO Enterprise Message Service 8.2.2 operates with OpenSSL version 1.0.1p.
TIBCO Enterprise Message Service 8.3.0 operates with OpenSSL version 1.0.2f.
TIBCO Enterprise Message Service 8.4.0 operates with OpenSSL version 1.0.2k.
TIBCO Enterprise Message Service 8.5.0 operates with OpenSSL version 1.0.2r.
TIBCO Enterprise Message Service 8.5.1 operates with OpenSSL version 1.1.1c

Please note the above is linked to "SSL Communication The TLSv1.0 protocol is no longer supported. " in EMS 8.5.1, so we need to make sure the client can use a TLS version 1.1 or higher

- For security reasons, EMS 8.5.1 only supports TLSv1.2 cipher suites.

- The oldest version of EMS to support TLSv1.2 (although with an older and smaller range of cipher suites than EMS 8.5.1) is EMS 8.3.0.

You can ask the client to test with EMS 8.3 libraries and see if the problem goes away, if they are not able to upgrade, then they may need to use EMS 8.5.0

A similar issue may arise as well when creating routes that use SSL, in between the mentioned EMS version

 

Issue/Introduction

SSL clients not able to connect to EMS 8.5.1