on 05-26-2016 4:41 AM
Hello PI experts:
We have a requirement to connect external HTTPS url with a secure protocol TLS 1.0 or higher. When we try to test SSL connectivity using XPI_Inspector by using option 11 which is Authentication,SSL, we were told by Network/Basis team by default it is choosing SSL v3 version and it is failing due to that external url expecting TLS 1.0 or higher. we would like to know is there a way to force XPI_Inspector to choose TLS 1.0 or higher instead of SSL v3.
Here is the error that we received in XPI trace:
Begin IAIK Debug:
ssl_debug(9): Starting handshake (iSaSiLk 4.5)...
ssl_debug(9): Sending v3 client_hello message to dev.xxxxxx.local:443, requesting version 3.1...
ssl_debug(9): IOException while handshaking: Connection reset
ssl_debug(9): Sending alert: Alert Fatal: handshake failure
ssl_debug(9): Exception sending message: java.net.SocketException: Broken pipe
ssl_debug(9): Shutting down SSL layer...
ssl_debug(9): Closing transport...
End IAIK Debug.
We were told V3 Client_hello means XPI initiating the message with SSL v3 but we would like to tell inspector to initiate with TLS 1.0 or higher.
Any inputs on this will be appreciated.
Thanks,
Ganesh B
Hello Ganesh,
The XPI Inspector can't be forced to use other security levels like to use TLS 1.0 if your system uses SSLv3. The XPI Inspector tool uses the system's default settings so you can't change that.
The problem in your case is that you still have SSLv3 enabled. SSLv3 has been disabled by default from some SAP JVM levels
8.1.003
7.1.028
6.1.074
5.1.100
4.1.050
For more information refer to SAP Note 2199062 - SSL protocol and algorithm deprecation in SAP JVM.
The property "jdk.tls.disabledAlgorithms" in file <jdk dir>/jre/lib/security/java.security contains SSLv3 from those SAP JVM levels which disable the SSLv3 protocol for SSL connections initiated over the JDK SSL layer. In your case SSLv3 is still enabled.
You can either edit the mentioned security file to disable SSLv3 or to upgrade to at least the mentioned SAP JVM levels and after that restart your AS Java.
Regards,
Mate
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.