Tibco Support 5 Posted September 28, 2022 Share Posted September 28, 2022 We are using TRA 5.10, BW 5.13.0 embedded with java version 1.8.0_51(build 1.8.0_51-b16). The underlying OS is AIX and Linux on different machines. We want to Tibco BW to use the below TLSv1.2 GCM ciphers provided by 3rd party SERVER for a successful TLS handshake.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) (excluding terminals)TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)Despite adding the following properties in the application TRA file and installing the JCE security policy, we can see that ciphers proposed by TIBCO BW (acting as CLIENT here) during the handshake with 3rd party SERVER do not have GCM ciphers.AIX machine:java.property.TIBCO_SECURITY_VENDOR=ibmjava.property.jdk.tls.client.protocols=TLSv1.2Linux:java.property.TIBCO_SECURITY_VENDOR=j2sejava.property.jdk.tls.client.protocols=TLSv1.2Cipher Suite presented by TIBCO BWSSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHASSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256SSL_ECDHE_RSA_WITH_AES_128_CBC_SHASSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHASSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHASSL_RSA_WITH_AES_128_CBC_SHA256SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256SSL_DHE_RSA_WITH_AES_128_CBC_SHA256SSL_DHE_DSS_WITH_AES_128_CBC_SHA256SSL_RSA_WITH_AES_128_CBC_SHASSL_ECDH_ECDSA_WITH_AES_128_CBC_SHASSL_ECDH_RSA_WITH_AES_128_CBC_SHASSL_DHE_RSA_WITH_AES_128_CBC_SHASSL_DHE_DSS_WITH_AES_128_CBC_SHASSL_RSA_WITH_3DES_EDE_CBC_SHASSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHASSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHASSL_DHE_RSA_WITH_3DES_EDE_CBC_SHASSL_DHE_DSS_WITH_3DES_EDE_CBC_SHACipher which 3rd party SERVER wants for communicationTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) (excluding terminals)TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)Log Trace with Error ExceptionSSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.awSSLContextImpl: Using X509TrustManager com.ibm.jsse2.aAJsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8trigger seeding of SecureRandomdone seeding SecureRandomIBMJSSE2 will enable CBC protectionJsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.8JsseJCE: Using signature SHA1withECDSA from provider TBD via initJsseJCE: Using signature NONEwithECDSA from provider TBD via initJsseJCE: Using KeyFactory EC from provider IBMJCE version 1.8JsseJCE: Using KeyPairGenerator EC from provider TBD via initJsseJce: EC is availableJsseJCE: Using cipher AES/GCM/NoPadding from provider TBD via initCipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via initCipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.8Finalizer thread, called close()keyStore is: /opt/tibco/tibcojre64/1.8.0/lib/security/cacertskeyStore type is: jkskeyStore provider is:init keystoreSSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.awSSLContextImpl: Using X509TrustManager com.tibco.security.ssl.D.Atrigger seeding of SecureRandomdone seeding SecureRandomPersistent Connection Manager is DisabledPersistent Connection Manager is DisabledPersistent Connection Manager is Disabled2022 Sep 20 12:22:24:975 GMT +0100 BW.ServiceName-6-Process_Archive Debug [bW-Core] <= BusinessServices/ServiceName/Interface/JMSRequestReply.process/JMSRequestReplyGroup/CallMain>BusinessServices/ServiceName/Processes/Main.process/MainGroup/3rdPartySOAPCall.eval(Job-499007) returned STAY_HEREIBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or defaultIBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default takenIBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or defaultIBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or defaultIBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or defaultIs initial handshake: trueMainGroup/3rdPartySOAPCall0, setSoTimeout(61000) calledIgnoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1%% No cached client session*** ClientHello, TLSv1.2RandomCookie: GMT: 1663607409 bytes = { 60, 105, 116, 42, 69, 63, 166, 163, 120, 8, 198, 114, 42, 39, 130, 36, 124, 78, 125, 104, 84, 187, 134, 220, 38, 65, 208, 1 }Session ID: {}Cipher Suites: [sSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA]Compression Methods: { 0 }Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}Extension ec_point_formats, formats: [uncompressed]Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSAExtension server_name, server_name: [type=host_name (0), value=txn-cst.cxmlpg.com]***MainGroup/3rdPartySOAPCall0, WRITE: TLSv1.2 Handshake, length = 185MainGroup/3rdPartySOAPCall0, READ: TLSv1.2 Alert, length = 2MainGroup/3rdPartySOAPCall0, RECV TLSv1.2 ALERT: fatal, handshake_failureMainGroup/3rdPartySOAPCall0, called closeSocket()MainGroup/3rdPartySOAPCall0, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureMainGroup/3rdPartySOAPCall0, called close()MainGroup/3rdPartySOAPCall0, called closeInternal(true)We have also tried replacing limited strength JCE policy files with JCE Unlimited Strength Jurisdiction policy files and adding the "java.property.https.cipherSuites" property to force TLS handshake via a specific cipher, but it does not seem to work.How can we achieve the above requirement?Note: Apart from java properties at the application TRA level, we have not added any filters/constraints in java.security file or anywhere else from TIBCO's perspective.Thanks in advance. Link to comment Share on other sites More sharing options...
Emmanuel Marchiset 2 Posted October 8, 2022 Share Posted October 8, 2022 Hi,I see you are using an old version of Java 1.8, installing the latest HF for your current TRA version or installing the latest minor release of TRA 5.10 (5.10.2) might be needed.Also the following KB article might help :https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-46235You may also check TRA 5.10 HF02 readme file and try the properties below (but before that make sure to have this HF or an higher version installed):TRA-3928TIBCO Runtime Agent now supports additional properties to selectively disableTLS protocols 1.0 through 1.2 which are enabled by default.The list of all the TLS/SSL properties is as follows. Note that there's adistinct property for client-side sockets and another for server-side onesto allow for better flexibility in controlling the changes.To disable TLS v1.0, set com.tibco.security.ssl.client.EnableTLSv1 to falseas well as com.tibco.security.ssl.server.EnableTLSv1 to false.To disable TLS v1.1, set com.tibco.security.ssl.client.EnableTLSv11 to falseas well as com.tibco.security.ssl.server.EnableTLSv11 to false.To disable TLS v1.2, set com.tibco.security.ssl.client.EnableTLSv12 to falseas well as com.tibco.security.ssl.server.EnableTLSv12 to false.To disable SSLv2Hello, set com.tibco.security.ssl.server.EnableSSLv2Hello tofalse. This is only for accepting handshakes from old Java 6 clients.SSLv3 is set to false by default. To enable SSLv3, set one or both of theproperties com.tibco.security.ssl.client.EnableSSLv3 and/orcom.tibco.security.ssl.server.EnableSSLv3 to true. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now