|
If you set the system property--
javax.net.debug=all
the output should show exactly what's going on during the handshake.
You can set this by including
-Djavax.net.debug=all
on the command line used to launch your Java application.
HTH,
Gary
-----Original Message-----
From: JAVA400-L [mailto:java400-l-bounces@xxxxxxxxxxxx] On Behalf Of
Charles Wilt
Sent: Tuesday, May 16, 2017 1:21 PM
To: Java Programming on and around the IBM i <java400-l@xxxxxxxxxxxx>
Subject: Re: SSL Handshake failure after PTF
Thanks Zhang,
Been looking through those IBM docs...along with Oracle ones....
But I've yet to find a reason for the failure...
Relevant code:
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager()
{
public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return null;
}
public void
checkClientTrusted(java.security.cert.X509Certificate[]
certs, String authType)
{
}
public void
checkServerTrusted(java.security.cert.X509Certificate[]
certs, String authType)
{
}
}
}
sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
((HttpsURLConnection)c).setDefaultSSLSocketFactory(sc.getSocketFactory());
WriteLog("Trust manager and SSL factory built.");
WriteLog("Establishing data connection to remote server...");
c.connect();
From what I've found, the SSLContext.getInstance("SSL"), would have
defaulted to SSLv3 prior to FP40 and to TLSv1.0 afterward.
According to ssldecoder.com, the server shows:
Protocols
- TLSv1.2 (Not supported)
<http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_
Differences_between_SSL_a
nd_TLS_Protocol_Versions.html>
- TLSv1.1 (Not supported)
- TLSv1.0 (Supported)
- SSLv3 (Supported)
<https://blog.mozilla.org/security/2014/10/14/the-
poodle-attack-and-the-end-
of-ssl-3-0/>
- SSLv2 (Not supported)
So I'd expect the connection to succeed with TLSv1.0
Server Cert Details
Key Size / Type: 2048 bits rsa
Signature Algorithm: sha256WithRSAEncryption
The one other thing I found was the the CA cert used by the server is
an
SHA-1 one...
VeriSign Class 3 Public Primary Certification Authority - G5
Key Size / Type: 2048 bits rsa
Signature Algorithm: sha1WithRSAEncryption
But while I found something about Java 9 intending to disable SHA-1 in
the future, I couldn't find anything about Java 6 doing so today.
What am I missing?
Thanks!
Charles
On Mon, May 15, 2017 at 7:50 PM, Gan Zhang <zhanggan@xxxxxxxxxx> wrote:
Try to find somethinglate
from [1]https://www.ibm.com/developerworks/community/
wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Updates/
page/News%20of%20Java%20on%20IBM%20i.
I would guess the updates on Dec. 2014 and May 2015 could do help
to you.
Best regards.
____________________________________________________________
________________________________
Gavin, Zhang Gan --
[2]https://w3-connections.ibm.com/profiles/html/profileView.
do?key=d77158d7-c5cd-4e6e-a90d-23dddc9cbaba&lang=en
IBM i J9 Team Lead,
Email: zhanggan@xxxxxxxxxx
Phone: +86-10-82452719
Address: 1/F, 28, ZhongGuanCun Software Park, No.8 Dong Bei Wang West
Road, Haidian District, Beijing P.R.China 100193
J9 on i:
[3]http://www.ibm.com/developerworks/ibmi/techupdates/java
----- Original message -----
From: Charles Wilt <charles.wilt@xxxxxxxxx>
Sent by: "JAVA400-L" <java400-l-bounces@xxxxxxxxxxxx>
To: "Java Programming on and around the iSeries / AS400"
<java400-l@xxxxxxxxxxxx>
Cc:
Subject: SSL Handshake failure after PTF
Date: Tue, May 16, 2017 6:56 AM
Box running 7.2, originally cume C16127 loaded C17068.
Have a Java app that using SSL failing during the handshake.
I know IBM turned off by default some insecure ciphers in the
OS
last--
year / early this year.
I am assuming Java did the same. But I can't find relevant
documentation.
Java 6 & Java 7 are installed...appears that Java 6 is the system
default.
(& Yes I'm aware that's supposed to go away :) )
Can anybody point me to the right docs regarding Java SSL on the i?
Thanks!
Charles
--
This is the Java Programming on and around the IBM i
(JAVA400-L) mailing
list
To post a message email: JAVA400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [4]http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [5]http://archive.midrange.com/java400-l.
References
Visible links
1. https://www.ibm.com/developerworks/community/
wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Updates/
page/News%20of%20Java%20on%20IBM%20i
2. https://w3-connections.ibm.com/profiles/html/profileView.
do?key=d77158d7-c5cd-4e6e-a90d-23dddc9cbaba&lang=en
3. http://www.ibm.com/developerworks/ibmi/techupdates/java
4. http://lists.midrange.com/mailman/listinfo/java400-l
5. http://archive.midrange.com/java400-l
--
This is the Java Programming on and around the IBM i (JAVA400-L)
mailing list To post a message email: JAVA400-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/java400-l.
This is the Java Programming on and around the IBM i (JAVA400-L)
mailing list To post a message email: JAVA400-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/java400-l.
--
This is the Java Programming on and around the IBM i (JAVA400-L)
mailing list To post a message email: JAVA400-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/java400-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.