Today (Saturday) We will make some minor tuning adjustments to MySQL.

You may experience 2 up to 10 seconds "glitch time" when we restart MySQL. We expect to make these adjustments around 1AM Eastern Daylight Saving Time (EDT) US.


Unable to establish connection over TLS 1.2 on AIX 7.1/7.2


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Unable to establish connection over TLS 1.2 on AIX 7.1/7.2

Hello Team,

I would need your help to enable communication over TLS1.2 on AIX 7.1 or 7.2 with IBM JDK 1.8 latest update.

By default, the request is trying to establish a connection over TLSv1 even though TLS 1.2 is explicitly enabled on server as well as on Java 8. The openssl command throws SSL handshake error. We tried with 2 versions of OpenSSL, 1.0.1e and 1.0.2k, but same behavior. Please find the logs below:
Code:
[06:24 AM root@s822-aix01p1 /opt]: openssl s_client -tls1_2 -connect 10.225.120.125:8443
CONNECTED(00000003)
804401144:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1259:SSL alert number 80
804401144:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:599:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1550489753
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

It seems there is no cipher suites on common which can work for TLS 1.2. Kindly let me know if you need more information to root cause this issue.

Also, is there any way to enable TLS 1.1 & 1.2 in AIX as I have read few articles and got to know that these are not enabled by default on AIX.

Thanks,
Naina

Moderator's Comments:
Mod Comment MOD's comment: Kindly wrap your sample of input and expected output into CODE TAGS [CODE]your code....[/CODE] buttons as per forum's rule.

Last edited by RavinderSingh13; 02-19-2019 at 06:52 AM..
# 3  
Thread moved to AIX...
This User Gave Thanks to vbe For This Post:
# 4  
Thanks Gull04. I have tried the debug options provided in the link and got to know that there are no ciphers in common to establish a connection.
Also I could see only SSL_* ciphers are enabled. Can you please help me to enable TLS_* ciphers in IBM JDK8, so that it can communicate over TLS 1.2.

Here are the logs :

Code:
Using SSLEngineImpl.
Is initial handshake: true
qtp-1722886128-39, READ: TLSv1 Handshake, length = 182
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -1246685516 bytes = { 14, 70, 82, 17, 142, 160, 104, 40, 220, 61, 116, 139, 67, 63, 91, 48, 1, 149, 197, 162, 246, 61, 155, 115, 103, 215, 79, 30 }
Session ID:  {}
Cipher Suites: [Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension extended_master_secret
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA224withRSA, SHA224withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_13172, data:
Unsupported extension type_18, data:
Extension application_layer_protocol_negotiation, protocol names: [h2][spdy/3.1][http/1.1]
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {secp256r1, secp384r1}
***
ALPNJSSEExt not initialized for Server
ALPN will not be negotiatedc51426f1[SSLEngine[hostname=10.74.7.16 port=57233] SSL_NULL_WITH_NULL_NULL]
%% Initialized:  [Session-3, SSL_NULL_WITH_NULL_NULL]
qtp-1722886128-39, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-3, SSL_NULL_WITH_NULL_NULL]
qtp-1722886128-39, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
qtp-1722886128-39, WRITE: TLSv1.2 Alert, length = 2
qtp-1722886128-39, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp-1722886128-39, called closeOutbound()
qtp-1722886128-39, closeOutboundInternal()

Regards,
Naina
# 5  
I did more R&D and found that it is IBM Java which is not allowing communication over TLS 1.2. The same handshake failure was observed on Linux with IBM Java, though it was successful with Oracle Java.

Does anybody has any idea how to enable TLS 1.2 on IBM Java 8?

Regards!
Naina
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Can't establish outbound ssh connection on an OpenBSD system
milhan
I am getting the below error when I try to make outbound ssh from an OpenBSD system. I can't ssh to any host except the localhost. I can ping the hosts which I can't ssh, though.~ uname -rs OpenBSD 6.1 ~ ssh -V OpenSSH_7.5, LibreSSL 2.5.2 ~ ssh hostname ssh: connect to host hostname...... BSD
11
BSD
Proxy tunneling failed: ForbiddenUnable to establish SSL connection.
charli1
Tryied both ways curl and wget wget --no-check-certificate https://mysitet.it:61617 --2017-05-05 17:29:02-- https://mysitet.it:61617/ Connecting to myproxy:8080... connected. Proxy tunneling failed: ForbiddenUnable to establish SSL connection. curl https://mysite.it:61617 curl: (56)...... Red Hat
3
Red Hat
Connection establish two server
Mani T
How do make connection between two linux server.Such as SSH,rsync,ftp... Red Hat
3
Red Hat
Establish ODBC connection from Linux
Nagaraja Akkiva
Hi All, I want to establish a ODBC connection to a database from linux and query the tables of a database. Please let me know how I can achieve this. Thanks and Regards Nagaraja Akkivalli.... Shell Programming and Scripting
0
Shell Programming and Scripting
Xterm :Cannot establish a connection to "Server IP" on port 22
smartyshan
Dears, I installed HP-UX Server, when I tried to reach it through Xterm it returns the error like Xrcmd Cannot establish a connection to "Server IP" on port 22 Anyone here to tell me the reason(s) find attached xterm.jpg... HP-UX
3
HP-UX

Featured Tech Videos