000030301 - Secure sockets protocol_version error

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030301
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1 SP4 P36 or higher
IssueThe following exception is thrown and appears in the customer's own application log:
javax.net.ssl.SSLException: Received fatal alert: protocol_version
javax.net.ssl.SSLException is thrown by a Java secure sockets package when an SSL/TLS error is detected.

Specifically, an SSL/TLS protocol_version alert is defined as follows:
The protocol version the client has attempted to negotiate is recognized but not supported. (For example, old protocol versions might be avoided for security reasons.) This message is always fatal. (RFC5246, p. 32).

"This message is always fatal" means that the connection will be terminated by the side that raised the alert. The error occurs if the SSL/TLS version chosen by the server is not supported by the client (or not acceptable) or if the server supports (or is willing to use) only versions greater than the client version.  For example, if the server supports only TLS 1.0 and above, and client version supports only SSL 3.0 and lower.

This situation can occur on any SSL/TLS client-server connection where the supported secure socket protocols are incompatible between client and server.
If the server rejects the client's version and if the client is built with Java and javax.net.ssl, the client application will be notified of the problem via a javax.net.ssl.SSLException thrown with the reason "Received fatal alert: protocol_version", meaning that the server sent a "protocol_version" alert to the client.
If a different Java library or other programming language is in use, the same problem can occur but the event logged or exception thrown will be different.
This problem is known to always occur when the server is RSA Authentication Manager v7.1 SP4 Patch 36 or higher with an RSA Authentication Manager SP4 P10 API  (Admin SDK) Java Web Services client that is using the RSA-provided ws-extras.jar file.  
This is because the ws-extras.jar library uses only SSLv3 for connections to the server, whilst v7.1 SP4 Patch 36 and higher includes fix AM-28570 that disables SSLv3 and allows only TLSv1 connections (refer the RSA Authentication Manager README files or the equivalent RSA SecurID Appliance README).


Contact RSA Support to obtain a modified ws-extras.jar file that uses only TLSv1 connections.  You can simply replace the old ws-extras.jar file with the new in your Admin SDK client application.  To facilitate this, the name of the "SSLv3JSSESocketFactory" class has been kept the same in the new ws-extras.jar, so no code changes are required in your Admin SDK client application.  

Notesws-extras.jar is documented in the RSA Authentication Manager 7.1 Developer's Guide, section Advanced Usage > Generating Web Service Bindings, available from sdk\docs\guide\auth_manager_developer_guide.html of the RSA Authentication Manager 7.1 SP4 10 SDK .