SecurID^® Discussions

Hi,

after the 8.4 upgrade (from 8.3) a java webapp cannot complete the ssl handshake,

the config should be ok, I guess that the problem is the tls1.2 strict mode on the auth manager, that I don't want disable.

I've already upgrade the java lib am-client from 8.1 to latest 8.4, but same results.

Jdk is 1.8 and US_export_policy.jar local_policy.jar are the latest avaiable, the java client try to "talk" tls1.2:

2020-07-10 10:05:21,260~INFO~[default task-123]~~|~[stdout]~*** ClientHello, TLSv1.2
2020-07-10 10:05:21,262~INFO~[default task-123]~~|~[stdout]~RandomCookie: GMT: 1594368321 bytes = { 114, 29, 160, 141, 74, 68, 175, 84, 223, 104, 243, 188, 253, 107, 191, 222, 96, 224, 242, 170, 74, 148, 44, 22, 46, 43, 62, 20 }
2020-07-10 10:05:21,262~INFO~[default task-123]~~|~[stdout]~Session ID: {}
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Compression Methods: { 0 }
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Extension ec_point_formats, formats: [uncompressed]
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
2020-07-10 10:05:21,263~INFO~[default task-123]~~|~[stdout]~Extension extended_master_secret
2020-07-10 10:05:21,264~INFO~[default task-123]~~|~[stdout]~***
2020-07-10 10:05:21,264~INFO~[default task-123]~~|~[stdout]~default task-123, WRITE: TLSv1.2 Handshake, length = 185
2020-07-10 10:05:21,264~INFO~[default task-123]~~|~[stdout]~default task-123, WRITE: SSLv2 client hello message, length = 179
2020-07-10 10:05:21,265~INFO~[default task-123]~~|~[stdout]~default task-123, READ: TLSv1.1 Alert, length = 2
2020-07-10 10:05:21,266~INFO~[default task-123]~~|~[stdout]~default task-123, RECV TLSv1.2 ALERT: fatal, handshake_failure
2020-07-10 10:05:21,266~INFO~[default task-123]~~|~[stdout]~default task-123, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure

Any ideas? May I have to use a specific cipher suite?

thanks in advance

Luca