How to make a BW client downgradeto SSL 3.0 if an HTTP server supports only this protocol version.

How to make a BW client downgradeto SSL 3.0 if an HTTP server supports only this protocol version.

book

Article ID: KB0085170

calendar_today

Updated On:

Products Versions
TIBCO ActiveMatrix BusinessWorks -
Not Applicable -

Description

Description:
BW as an HTTP client is sending a SSL Hello message requesting SSLv3.1 (TLS 1.0) and does not downgrade properly if the server responds with SSL v3.0. It will fail with the exception, "iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: bad record mac".

Issue/Introduction

How to make a BW client downgradeto SSL 3.0 if an HTTP server supports only this protocol version.

Resolution

To resolve this issue add the following property:

-Dsun.net.ssl.rsaPreMasterSecretFix=true 

to the deployed engine tra file. Starting with BW 5.13, comment out the jdk.tls.disabledAlgorithms=SSLv3 property in the <JRE_HOME>/lib/security/java.security file. Setting the system property com.sun.net.ssl.rsaPreMasterSecretFix to "true" allows the SSL\TLS client to send the active negotiated security protocol version, but not the expected maximum version supported by the client. 

Additional Information

None
Powered by Wolken Software