Unable to establish connection over TLS 1.2 on AIX 7.1/7.2

Naina2019 · February 18, 2019, 9:05am

Hello Team,

I would need your help to enable communication over TLS1.2 on AIX 7.1 or 7.2 with IBM JDK 1.8 latest update.

By default, the request is trying to establish a connection over TLSv1 even though TLS 1.2 is explicitly enabled on server as well as on Java 8. The openssl command throws SSL handshake error. We tried with 2 versions of OpenSSL, 1.0.1e and 1.0.2k, but same behavior. Please find the logs below:

[06:24 AM root@s822-aix01p1 /opt]: openssl s_client -tls1_2 -connect 10.225.120.125:8443
CONNECTED(00000003)
804401144:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1259:SSL alert number 80
804401144:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:599:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1550489753
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

It seems there is no cipher suites on common which can work for TLS 1.2. Kindly let me know if you need more information to root cause this issue.

Also, is there any way to enable TLS 1.1 & 1.2 in AIX as I have read few articles and got to know that these are not enabled by default on AIX.

Thanks,
Naina

gull04 · February 18, 2019, 9:26am

Hi,

I'm going to suggest this is the issue that you have, there is an IBM thread here which may be worth having a look at.

Regards

Gull04

vbe · February 18, 2019, 10:30am

Thread moved to AIX...

Naina2019 · February 19, 2019, 3:10am

Thanks Gull04. I have tried the debug options provided in the link and got to know that there are no ciphers in common to establish a connection.
Also I could see only SSL_* ciphers are enabled. Can you please help me to enable TLS_* ciphers in IBM JDK8, so that it can communicate over TLS 1.2.

Here are the logs :

Using SSLEngineImpl.
Is initial handshake: true
qtp-1722886128-39, READ: TLSv1 Handshake, length = 182
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -1246685516 bytes = { 14, 70, 82, 17, 142, 160, 104, 40, 220, 61, 116, 139, 67, 63, 91, 48, 1, 149, 197, 162, 246, 61, 155, 115, 103, 215, 79, 30 }
Session ID:  {}
Cipher Suites: [Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension extended_master_secret
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA224withRSA, SHA224withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_13172, data:
Unsupported extension type_18, data:
Extension application_layer_protocol_negotiation, protocol names: [h2][spdy/3.1][http/1.1]
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {secp256r1, secp384r1}
***
ALPNJSSEExt not initialized for Server
ALPN will not be negotiatedc51426f1[SSLEngine[hostname=10.74.7.16 port=57233] SSL_NULL_WITH_NULL_NULL]
%% Initialized:  [Session-3, SSL_NULL_WITH_NULL_NULL]
qtp-1722886128-39, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-3, SSL_NULL_WITH_NULL_NULL]
qtp-1722886128-39, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
qtp-1722886128-39, WRITE: TLSv1.2 Alert, length = 2
qtp-1722886128-39, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp-1722886128-39, called closeOutbound()
qtp-1722886128-39, closeOutboundInternal()

Regards,
Naina

Naina2019 · February 22, 2019, 9:06am

I did more R&D and found that it is IBM Java which is not allowing communication over TLS 1.2. The same handshake failure was observed on Linux with IBM Java, though it was successful with Oracle Java.

Does anybody has any idea how to enable TLS 1.2 on IBM Java 8?

Regards!
Naina