RE: SSL Handshake failure after PTF

Which component is doing the SSL handshaking? If it's Java, this trace
should show all of the details. If it's RPG, I'm not sure what you would do
to trace it. I believe the output is written to wherever Java writes its
STDOUT. I'm not sure but it might be a separate spool file. You can set
this via the os400.stdout Java system property (eg
-Dos400.stdout=file:mystdout.txt). For an RPG program calling a Java
program this is set in the QIBM_RPG_JAVA_PROPERTIES environment variable.
Have a look at the RPG Programmer's Guide in the "RPG and Java" section.

Gary

-----Original Message-----
From: JAVA400-L [mailto:java400-l-bounces@xxxxxxxxxxxx] On Behalf Of Charles
Wilt
Sent: Tuesday, May 16, 2017 3:37 PM
To: Java Programming on and around the IBM i <java400-l@xxxxxxxxxxxx>
Subject: Re: SSL Handshake failure after PTF

Also, this is an RPG program calling Java methods...

Can I still set that property somehow?

Where would I find the resulting log?

Thanks!
Charles

On Tue, May 16, 2017 at 2:28 PM, Gary L Peskin <garyp@xxxxxxxxxxxx> wrote:

If you set the system property

javax.net.debug=all

the output should show exactly what's going on during the handshake.
You can set this by including

-Djavax.net.debug=all

on the command line used to launch your Java application.

HTH,
Gary

-----Original Message-----
From: JAVA400-L [mailto:java400-l-bounces@xxxxxxxxxxxx] On Behalf Of
Charles Wilt
Sent: Tuesday, May 16, 2017 1:21 PM
To: Java Programming on and around the IBM i <java400-l@xxxxxxxxxxxx>
Subject: Re: SSL Handshake failure after PTF

Thanks Zhang,

Been looking through those IBM docs...along with Oracle ones....

But I've yet to find a reason for the failure...

Relevant code:
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager()
{

public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return null;
}

public void
checkClientTrusted(java.security.cert.X509Certificate[]
certs, String authType)
{
}
public void
checkServerTrusted(java.security.cert.X509Certificate[]
certs, String authType)
{
}

}
}
sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());

((HttpsURLConnection)c).setDefaultSSLSocketFactory(sc.getSocketFactory());
WriteLog("Trust manager and SSL factory built.");

WriteLog("Establishing data connection to remote server...");
c.connect();


From what I've found, the SSLContext.getInstance("SSL"), would have
defaulted to SSLv3 prior to FP40 and to TLSv1.0 afterward.

According to ssldecoder.com, the server shows:
Protocols

- TLSv1.2 (Not supported)
<http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_
Differences_between_SSL_a
nd_TLS_Protocol_Versions.html>

- TLSv1.1 (Not supported)

- TLSv1.0 (Supported)

- SSLv3 (Supported)
<https://blog.mozilla.org/security/2014/10/14/the-
poodle-attack-and-the-end-
of-ssl-3-0/>

- SSLv2 (Not supported)


So I'd expect the connection to succeed with TLSv1.0

Server Cert Details

Key Size / Type: 2048 bits rsa

Signature Algorithm: sha256WithRSAEncryption


The one other thing I found was the the CA cert used by the server is
an
SHA-1 one...

VeriSign Class 3 Public Primary Certification Authority - G5

Key Size / Type: 2048 bits rsa

Signature Algorithm: sha1WithRSAEncryption


But while I found something about Java 9 intending to disable SHA-1 in
the future, I couldn't find anything about Java 6 doing so today.


What am I missing?

Thanks!

Charles



On Mon, May 15, 2017 at 7:50 PM, Gan Zhang <zhanggan@xxxxxxxxxx> wrote:

Try to find something
from [1]https://www.ibm.com/developerworks/community/
wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Updates/
page/News%20of%20Java%20on%20IBM%20i.
I would guess the updates on Dec. 2014 and May 2015 could do help
to you.

Best regards.
____________________________________________________________
________________________________
Gavin, Zhang Gan --
[2]https://w3-connections.ibm.com/profiles/html/profileView.
do?key=d77158d7-c5cd-4e6e-a90d-23dddc9cbaba&lang=en
IBM i J9 Team Lead,
Email: zhanggan@xxxxxxxxxx
Phone: +86-10-82452719
Address: 1/F, 28, ZhongGuanCun Software Park, No.8 Dong Bei Wang West
Road, Haidian District, Beijing P.R.China 100193
J9 on i:
[3]http://www.ibm.com/developerworks/ibmi/techupdates/java



----- Original message -----
From: Charles Wilt <charles.wilt@xxxxxxxxx>
Sent by: "JAVA400-L" <java400-l-bounces@xxxxxxxxxxxx>
To: "Java Programming on and around the iSeries / AS400"
<java400-l@xxxxxxxxxxxx>
Cc:
Subject: SSL Handshake failure after PTF
Date: Tue, May 16, 2017 6:56 AM

Box running 7.2, originally cume C16127 loaded C17068.

Have a Java app that using SSL failing during the handshake.

I know IBM turned off by default some insecure ciphers in the
OS

late

last
year / early this year.

I am assuming Java did the same. But I can't find relevant
documentation.

Java 6 & Java 7 are installed...appears that Java 6 is the system
default.
(& Yes I'm aware that's supposed to go away :) )

Can anybody point me to the right docs regarding Java SSL on the i?

Thanks!
Charles
--
This is the Java Programming on and around the IBM i
(JAVA400-L) mailing
list
To post a message email: JAVA400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [4]http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [5]http://archive.midrange.com/java400-l.




References

Visible links
1. https://www.ibm.com/developerworks/community/
wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Updates/
page/News%20of%20Java%20on%20IBM%20i
2. https://w3-connections.ibm.com/profiles/html/profileView.
do?key=d77158d7-c5cd-4e6e-a90d-23dddc9cbaba&lang=en
3. http://www.ibm.com/developerworks/ibmi/techupdates/java
4. http://lists.midrange.com/mailman/listinfo/java400-l
5. http://archive.midrange.com/java400-l
--
This is the Java Programming on and around the IBM i (JAVA400-L)
mailing list To post a message email: JAVA400-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/java400-l.

--
This is the Java Programming on and around the IBM i (JAVA400-L)
mailing list To post a message email: JAVA400-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/java400-l.


--
This is the Java Programming on and around the IBM i (JAVA400-L)
mailing list To post a message email: JAVA400-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/java400-l.

--
This is the Java Programming on and around the IBM i (JAVA400-L) mailing
list To post a message email: JAVA400-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/java400-l.