Re: SSL Handshake failure after PTF

If you set the system property

javax.net.debug=all

the output should show exactly what's going on during the handshake. You
can set this by including

-Djavax.net.debug=all

on the command line used to launch your Java application.

HTH,
Gary

-----Original Message-----
From: JAVA400-L [mailto:java400-l-bounces@xxxxxxxxxxxx] On Behalf Of
Charles
Wilt
Sent: Tuesday, May 16, 2017 1:21 PM
To: Java Programming on and around the IBM i <java400-l@xxxxxxxxxxxx>
Subject: Re: SSL Handshake failure after PTF

Thanks Zhang,

Been looking through those IBM docs...along with Oracle ones....

But I've yet to find a reason for the failure...

Relevant code:
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager()
{

public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return null;
}

public void checkClientTrusted(java.security.cert.X509Certificate[]
certs, String authType)
{
}
public void checkServerTrusted(java.security.cert.X509Certificate[]
certs, String authType)
{
}

}
}
sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());

((HttpsURLConnection)c).setDefaultSSLSocketFactory(sc.getSocketFactory());
WriteLog("Trust manager and SSL factory built.");

WriteLog("Establishing data connection to remote server..."); c.connect();


From what I've found, the SSLContext.getInstance("SSL"), would have
defaulted to SSLv3 prior to FP40 and to TLSv1.0 afterward.

According to ssldecoder.com, the server shows:
Protocols

- TLSv1.2 (Not supported)
<http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_
Differences_between_SSL_a
nd_TLS_Protocol_Versions.html>

- TLSv1.1 (Not supported)

- TLSv1.0 (Supported)

- SSLv3 (Supported)
<https://blog.mozilla.org/security/2014/10/14/the-
poodle-attack-and-the-end-
of-ssl-3-0/>

- SSLv2 (Not supported)


So I'd expect the connection to succeed with TLSv1.0

Server Cert Details

Key Size / Type: 2048 bits rsa

Signature Algorithm: sha256WithRSAEncryption


The one other thing I found was the the CA cert used by the server is an
SHA-1 one...

VeriSign Class 3 Public Primary Certification Authority - G5

Key Size / Type: 2048 bits rsa

Signature Algorithm: sha1WithRSAEncryption


But while I found something about Java 9 intending to disable SHA-1 in the
future, I couldn't find anything about Java 6 doing so today.


What am I missing?

Thanks!

Charles



On Mon, May 15, 2017 at 7:50 PM, Gan Zhang <zhanggan@xxxxxxxxxx> wrote:

Try to find something
from [1]https://www.ibm.com/developerworks/community/
wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Updates/
page/News%20of%20Java%20on%20IBM%20i.
I would guess the updates on Dec. 2014 and May 2015 could do help
to you.

Best regards.
____________________________________________________________
________________________________
Gavin, Zhang Gan --
[2]https://w3-connections.ibm.com/profiles/html/profileView.
do?key=d77158d7-c5cd-4e6e-a90d-23dddc9cbaba&lang=en
IBM i J9 Team Lead,
Email: zhanggan@xxxxxxxxxx
Phone: +86-10-82452719
Address: 1/F, 28, ZhongGuanCun Software Park, No.8 Dong Bei Wang West
Road, Haidian District, Beijing P.R.China 100193
J9 on i: [3]http://www.ibm.com/developerworks/ibmi/techupdates/java



----- Original message -----
From: Charles Wilt <charles.wilt@xxxxxxxxx>
Sent by: "JAVA400-L" <java400-l-bounces@xxxxxxxxxxxx>
To: "Java Programming on and around the iSeries / AS400"
<java400-l@xxxxxxxxxxxx>
Cc:
Subject: SSL Handshake failure after PTF
Date: Tue, May 16, 2017 6:56 AM

Box running 7.2, originally cume C16127 loaded C17068.

Have a Java app that using SSL failing during the handshake.

I know IBM turned off by default some insecure ciphers in the OS

late

last
year / early this year.

I am assuming Java did the same. But I can't find relevant
documentation.

Java 6 & Java 7 are installed...appears that Java 6 is the system
default.
(& Yes I'm aware that's supposed to go away :) )

Can anybody point me to the right docs regarding Java SSL on the i?

Thanks!
Charles
--
This is the Java Programming on and around the IBM i (JAVA400-L)
mailing
list
To post a message email: JAVA400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [4]http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [5]http://archive.midrange.com/java400-l.




References

Visible links
1. https://www.ibm.com/developerworks/community/
wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Updates/
page/News%20of%20Java%20on%20IBM%20i
2. https://w3-connections.ibm.com/profiles/html/profileView.
do?key=d77158d7-c5cd-4e6e-a90d-23dddc9cbaba&lang=en
3. http://www.ibm.com/developerworks/ibmi/techupdates/java
4. http://lists.midrange.com/mailman/listinfo/java400-l
5. http://archive.midrange.com/java400-l
--
This is the Java Programming on and around the IBM i (JAVA400-L)
mailing list To post a message email: JAVA400-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/java400-l.

--
This is the Java Programming on and around the IBM i (JAVA400-L) mailing
list To post a message email: JAVA400-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/java400-l.


--
This is the Java Programming on and around the IBM i (JAVA400-L) mailing
list
To post a message email: JAVA400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/java400-l.