handshake_failure due to no matching Cipher in BusinessWorks Container Edition application
Article ID: KB0076067
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessWorks Container Edition | 2.5.1 |
Description
Any BusinessWorks Container Edition (BWCE) application will have the following entries if the HTTPS interface run into SSLHandshakeException.
======================================
<CausedBy> javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
<CausedBy> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
========================================
The first thing to troubleshoot any HTTPS interface running into SSLHandshakeException is to enable the SSL Debug log.
User can set "-Djavax.net.debug=ssl:handshake:plaintext" JVM property using BW_JAVA_OPTS environment variable to enable SSL debug log.
Reference: https://docs.tibco.com/pub/bwce/2.5.1/doc/html/GUID-25BD2BA4-6BA4-418C-98D4-6EB3C9196399.html
example:
========================================
docker run -e BW_JAVA_OPTS="-Xmx2048M -Xms2048M -Djavax.net.debug=ssl:handshake:plaintext" tibco/bwce-http:251
========================================
Please find below an example SSL Debug log with handshake_failure , it will show you currently supported Cipher list by JVM.
========================================
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1579000029 bytes = { 212, 150, 98, 240, 139, 211, 92, 217, 36, 230, 246, 28, 66, 143, 210, 62, 88, 66, 173, 149, 232, 177, 179, 94, 188, 3, 40, 119 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
.
.
pool-33-thread-1, WRITE: TLSv1.2 Handshake, length = 152
pool-33-thread-1, READ: TLSv1.2 Alert, length = 2
pool-33-thread-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
pool-33-thread-1, called closeSocket()
pool-33-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
========================================
If the handshake failure occurs at initial phase of the SSL handshake and there are no other error reported, in majority of cases this is an indication of a Cipher suite mismatch.
The ciphers supported by BWCE depends upon the ciphers supported by JAVA/JRE used inside the BWCE. However, user may need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to the container to get all supported Cipher.
Please find below the detailed steps to install JCE unlimited strength in the docker container.
1). If you are using JDK 8, 7, and 6 updates earlier than 8u161, 7u171, and 6u16, you need to download jce unlimited strength policy Files from Oracle website.
2). If you are using using JDK 8, 7, and 6 updates equal or later than 8u161, 7u171, and 6u16, the policy files are included, but may not be enabled for some reason. You can find the policy file under bwce-runtime-2.5.1\tibco.home\tibcojre64\1.8.0\lib\security\policy\unlimited. To enable the jce unlimited strength, Unzip bwce-runtime-2.5.1.zip, you can set the crypto.policy property to unlimited in java.security file under bwce-runtime-2.5.1\tibco.home\tibcojre64\1.8.0\lib\security and Zip the file back to bwce-runtime-2.5.1.zip.
In recent release of the JDK JCE framework uses the unlimited policy files by default, please review your java.security file, before making any changes.
Please review the below article for more information.
https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
3). Build a base image using the steps in https://docs.tibco.com/pub/bwce/2.5.1/doc/html/GUID-91EA80AA-08EF-4CB3-A6A7-E8551A441AC1.html
4). Now download libsunec.so from TIB_product_tibco_sunec_1.8.0.144_linux26gl23_x86_64.html in https://edelivery.tibco.com/storefront/view-download.ep?sku=11654-1&version=2.5.1
5). Copy the libsunec.so in a LIB folder and then extend the base image.
Sample docker file:
========================================
FROM tibco/bwce:251Strength
MAINTAINER Tibco
COPY JARS /resources/addons/jars/
COPY plugins /resources/addons/plugins/
COPY LIB /resources/addons/lib/
ADD Test_1.0.0.ear /
========================================
6). Build it
docker build -t tibco/bwce-http:251 .
7). Run the container now and verify the SSL handshake debug log.
docker run -e BW_JAVA_OPTS="-Xmx2048M -Xms2048M -Djavax.net.debug=ssl:handshake:plaintext" tibco/bwce-http:251
8). Now inspect the Cipher list in SSL debug log.
An typical example of supported cipher list after installing JCE unlimited strength in the docker container:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
======================================
<CausedBy> javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
<CausedBy> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
========================================
The first thing to troubleshoot any HTTPS interface running into SSLHandshakeException is to enable the SSL Debug log.
User can set "-Djavax.net.debug=ssl:handshake:plaintext" JVM property using BW_JAVA_OPTS environment variable to enable SSL debug log.
Reference: https://docs.tibco.com/pub/bwce/2.5.1/doc/html/GUID-25BD2BA4-6BA4-418C-98D4-6EB3C9196399.html
example:
========================================
docker run -e BW_JAVA_OPTS="-Xmx2048M -Xms2048M -Djavax.net.debug=ssl:handshake:plaintext" tibco/bwce-http:251
========================================
Please find below an example SSL Debug log with handshake_failure , it will show you currently supported Cipher list by JVM.
========================================
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1579000029 bytes = { 212, 150, 98, 240, 139, 211, 92, 217, 36, 230, 246, 28, 66, 143, 210, 62, 88, 66, 173, 149, 232, 177, 179, 94, 188, 3, 40, 119 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
.
.
pool-33-thread-1, WRITE: TLSv1.2 Handshake, length = 152
pool-33-thread-1, READ: TLSv1.2 Alert, length = 2
pool-33-thread-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
pool-33-thread-1, called closeSocket()
pool-33-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
========================================
If the handshake failure occurs at initial phase of the SSL handshake and there are no other error reported, in majority of cases this is an indication of a Cipher suite mismatch.
The ciphers supported by BWCE depends upon the ciphers supported by JAVA/JRE used inside the BWCE. However, user may need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to the container to get all supported Cipher.
Please find below the detailed steps to install JCE unlimited strength in the docker container.
1). If you are using JDK 8, 7, and 6 updates earlier than 8u161, 7u171, and 6u16, you need to download jce unlimited strength policy Files from Oracle website.
a. Download jce unlimited strength from https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
b. Unzip jce_policy-1_8_0.zip.
c. Unzip bwce-runtime-2.5.1.zip
d. Copy US_export_policy.jar and local_policy.jar to: <Extracted_Path_FromStep3>\bwce-runtime-2.5.1\tibco.home\tibcojre64\1.8.0\lib\security
e. Zip the file back to bwce-runtime-2.5.1.zip
b. Unzip jce_policy-1_8_0.zip.
c. Unzip bwce-runtime-2.5.1.zip
d. Copy US_export_policy.jar and local_policy.jar to: <Extracted_Path_FromStep3>\bwce-runtime-2.5.1\tibco.home\tibcojre64\1.8.0\lib\security
e. Zip the file back to bwce-runtime-2.5.1.zip
2). If you are using using JDK 8, 7, and 6 updates equal or later than 8u161, 7u171, and 6u16, the policy files are included, but may not be enabled for some reason. You can find the policy file under bwce-runtime-2.5.1\tibco.home\tibcojre64\1.8.0\lib\security\policy\unlimited. To enable the jce unlimited strength, Unzip bwce-runtime-2.5.1.zip, you can set the crypto.policy property to unlimited in java.security file under bwce-runtime-2.5.1\tibco.home\tibcojre64\1.8.0\lib\security and Zip the file back to bwce-runtime-2.5.1.zip.
In recent release of the JDK JCE framework uses the unlimited policy files by default, please review your java.security file, before making any changes.
Please review the below article for more information.
https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
3). Build a base image using the steps in https://docs.tibco.com/pub/bwce/2.5.1/doc/html/GUID-91EA80AA-08EF-4CB3-A6A7-E8551A441AC1.html
4). Now download libsunec.so from TIB_product_tibco_sunec_1.8.0.144_linux26gl23_x86_64.html in https://edelivery.tibco.com/storefront/view-download.ep?sku=11654-1&version=2.5.1
5). Copy the libsunec.so in a LIB folder and then extend the base image.
Sample docker file:
========================================
FROM tibco/bwce:251Strength
MAINTAINER Tibco
COPY JARS /resources/addons/jars/
COPY plugins /resources/addons/plugins/
COPY LIB /resources/addons/lib/
ADD Test_1.0.0.ear /
========================================
6). Build it
docker build -t tibco/bwce-http:251 .
7). Run the container now and verify the SSL handshake debug log.
docker run -e BW_JAVA_OPTS="-Xmx2048M -Xms2048M -Djavax.net.debug=ssl:handshake:plaintext" tibco/bwce-http:251
8). Now inspect the Cipher list in SSL debug log.
An typical example of supported cipher list after installing JCE unlimited strength in the docker container:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Issue/Introduction
handshake_failure due to no matching Cipher in BusinessWorks Container Edition application
Feedback
Yes
No
Powered by
