SSL TLS1.2 cypher support

0
We are trying to set up mutual ssl for a mendix webservice. But we run into a handshake error. The other side support the cyphers below. But where can I find which cypher Mendix supports? Regards, Ronald <sec:cipherSuitesFilter> <sec:include>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</sec:include> <sec:include>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</sec:include> <sec:include>TLS_RSA_WITH_AES_256_CBC_SHA256</sec:include> <sec:include>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384</sec:include> <sec:include>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384</sec:include> <sec:include>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</sec:include> <sec:include>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</sec:include> <sec:include>TLS_RSA_WITH_AES_128_CBC_SHA256</sec:include> <sec:include>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</sec:include> <sec:include>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</sec:include> <sec:include>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</sec:include> </sec:cipherSuitesFilter> [EDIT] Setting the model to java 7 did not resolve it. I am keep getting the error below. I assume the error is on the server side. Google or stackoverflow points to a proxy or pkcs12 problem. Now to find a way to debug this...... HTTP transport error: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:132) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:256) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:184) at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:137) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482) at com.sun.xml.ws.client.Stub.process(Stub.java:323) at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:192) at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:218) at com.mendix.modules.webservices.call.WebserviceCaller$2.run(WebserviceCaller.java:322) at com.mendix.modules.webservices.call.WebserviceCaller$2.run(WebserviceCaller.java:300) at java.security.AccessController.doPrivileged(Native Method) at com.mendix.modules.webservices.call.WebserviceCaller.call(WebserviceCaller.java:289) at com.mendix.modules.webservices.call.WebserviceCaller.call(WebserviceCaller.java:140) at com.mendix.modules.webservices.WebserviceModule.callWebservice(WebserviceModule.java:231) at com.mendix.modules.microflowengine.actions.integration.CallWebServiceAction.execute(CallWebServiceAction.scala:70) at com.mendix.modules.microflowengine.microflow.MicroflowObject.execute(MicroflowObject.java:77) at com.mendix.modules.microflowengine.microflow.Microflow.executeAfterBreakingIfNecessary(Microflow.java:163) at com.mendix.modules.microflowengine.microflow.Microflow.executeAction(Microflow.java:100) at com.mendix.systemwideinterfaces.core.UserAction.execute(UserAction.java:57) at com.mendix.core.actionmanagement.CoreAction.doCall(CoreAction.java:478) at com.mendix.core.actionmanagement.CoreAction.call(CoreAction.java:463) at com.mendix.core.actionmanagement.CustomActionMonitorImpl$$anonfun$run$1.apply(CustomMonitoredAction.scala:22) at com.mendix.externalinterface.connector.RequestDispatching$Worker$$anonfun$receive$2.apply(RequestDispatching.scala:185) at com.mendix.externalinterface.connector.RequestDispatching$Worker$$anonfun$receive$2.apply(RequestDispatching.scala:179) at akka.actor.Actor$class.apply(Actor.scala:545) at com.mendix.externalinterface.connector.RequestDispatching$Worker.apply(RequestDispatching.scala:175) at akka.actor.LocalActorRef.invoke(ActorRef.scala:910) at akka.dispatch.MessageInvocation.invoke(MessageHandling.scala:25) at akka.dispatch.ExecutableMailbox$class.processMailbox(ExecutorBasedEventDrivenDispatcher.scala:223) at akka.dispatch.ExecutorBasedEventDrivenDispatcher$$anon$4.processMailbox(ExecutorBasedEventDrivenDispatcher.scala:123) at akka.dispatch.ExecutableMailbox$class.run(ExecutorBasedEventDrivenDispatcher.scala:195) at akka.dispatch.ExecutorBasedEventDrivenDispatcher$$anon$4.run(ExecutorBasedEventDrivenDispatcher.scala:123) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) at akka.dispatch.MonitorableThread.run(ThreadPoolBuilder.scala:192) Caused by: Remote host closed connection during handshake at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source) at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:120) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:256) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:184) at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:137) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482) at com.sun.xml.ws.client.Stub.process(Stub.java:323) at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:192) at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:218) at com.mendix.modules.webservices.call.WebserviceCaller$2.run(WebserviceCaller.java:322) at com.mendix.modules.webservices.call.WebserviceCaller$2.run(WebserviceCaller.java:300) at java.security.AccessController.doPrivileged(Native Method) at com.mendix.modules.webservices.call.WebserviceCaller.call(WebserviceCaller.java:289) at com.mendix.modules.webservices.call.WebserviceCaller.call(WebserviceCaller.java:140) at com.mendix.modules.webservices.WebserviceModule.callWebservice(WebserviceModule.java:231) at com.mendix.modules.microflowengine.actions.integration.CallWebServiceAction.execute(CallWebServiceAction.scala:70) at com.mendix.modules.microflowengine.microflow.MicroflowObject.execute(MicroflowObject.java:77) at com.mendix.modules.microflowengine.microflow.Microflow.executeAfterBreakingIfNecessary(Microflow.java:163) at com.mendix.modules.microflowengine.microflow.Microflow.executeAction(Microflow.java:100) at com.mendix.systemwideinterfaces.core.UserAction.execute(UserAction.java:57) at com.mendix.core.actionmanagement.CoreAction.doCall(CoreAction.java:478) at com.mendix.core.actionmanagement.CoreAction.call(CoreAction.java:463) at com.mendix.core.actionmanagement.CustomActionMonitorImpl$$anonfun$run$1.apply(CustomMonitoredAction.scala:22) at com.mendix.externalinterface.connector.RequestDispatching$Worker$$anonfun$receive$2.apply(RequestDispatching.scala:185) at com.mendix.externalinterface.connector.RequestDispatching$Worker$$anonfun$receive$2.apply(RequestDispatching.scala:179) at akka.actor.Actor$class.apply(Actor.scala:545) at com.mendix.externalinterface.connector.RequestDispatching$Worker.apply(RequestDispatching.scala:175) at akka.actor.LocalActorRef.invoke(ActorRef.scala:910) at akka.dispatch.MessageInvocation.invoke(MessageHandling.scala:25) at akka.dispatch.ExecutableMailbox$class.processMailbox(ExecutorBasedEventDrivenDispatcher.scala:223) at akka.dispatch.ExecutorBasedEventDrivenDispatcher$$anon$4.processMailbox(ExecutorBasedEventDrivenDispatcher.scala:123) at akka.dispatch.ExecutableMailbox$class.run(ExecutorBasedEventDrivenDispatcher.scala:195) at akka.dispatch.ExecutorBasedEventDrivenDispatcher$$anon$4.run(ExecutorBasedEventDrivenDispatcher.scala:123) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) at akka.dispatch.MonitorableThread.run(ThreadPoolBuilder.scala:192) Caused by: SSL peer shut down incorrectly at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source) at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:120) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:256) at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:184) at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:137) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482) at com.sun.xml.ws.client.Stub.process(Stub.java:323) at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:192) at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:218) at com.mendix.modules.webservices.call.WebserviceCaller$2.run(WebserviceCaller.java:322) at com.mendix.modules.webservices.call.WebserviceCaller$2.run(WebserviceCaller.java:300) at java.security.AccessController.doPrivileged(Native Method) at com.mendix.modules.webservices.call.WebserviceCaller.call(WebserviceCaller.java:289) at com.mendix.modules.webservices.call.WebserviceCaller.call(WebserviceCaller.java:140) at com.mendix.modules.webservices.WebserviceModule.callWebservice(WebserviceModule.java:231) at com.mendix.modules.microflowengine.actions.integration.CallWebServiceAction.execute(CallWebServiceAction.scala:70) at com.mendix.modules.microflowengine.microflow.MicroflowObject.execute(MicroflowObject.java:77) at com.mendix.modules.microflowengine.microflow.Microflow.executeAfterBreakingIfNecessary(Microflow.java:163) at com.mendix.modules.microflowengine.microflow.Microflow.executeAction(Microflow.java:100) at com.mendix.systemwideinterfaces.core.UserAction.execute(UserAction.java:57) at com.mendix.core.actionmanagement.CoreAction.doCall(CoreAction.java:478) at com.mendix.core.actionmanagement.CoreAction.call(CoreAction.java:463) [EDIT 2] It seems the Mendix server wants to setup a TLS1 instead of TLS1.2: INFO | jvm 1 | 2015/03/06 16:49:41 | qtp530732685-1383, READ: TLSv1 Handshake, length = 163 INFO | jvm 1 | 2015/03/06 16:49:41 | *** ClientHello, TLSv1 INFO | jvm 1 | 2015/03/06 16:49:41 | RandomCookie: GMT: 1408813973 bytes = { 255, 93, 215, 200, 53, 239, 11, 33, 179, 155, 216, 225, 162, 2, 23, 85, 90, 159, 225, 52, 67, 118, 87, 145, 188, 203, 18, 58 } INFO | jvm 1 | 2015/03/06 16:49:41 | Session ID: {} INFO | jvm 1 | 2015/03/06 16:49:41 | Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RS INFO | jvm 1 | 2015/03/06 16:49:41 | A_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] INFO | jvm 1 | 2015/03/06 16:49:41 | Compression Methods: { 0 } INFO | jvm 1 | 2015/03/06 16:49:41 | Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} INFO | jvm 1 | 2015/03/06 16:49:41 | Extension ec_point_formats, formats: [uncompressed] INFO | jvm 1 | 2015/03/06 16:49:41 | *** INFO | jvm 1 | 2015/03/06 16:49:41 | %% Initialized: [Session-10, SSL_NULL_WITH_NULL_NULL] INFO | jvm 1 | 2015/03/06 16:49:41 | qtp530732685-1383, fatal error: 40: no cipher suites in common INFO | jvm 1 | 2015/03/06 16:49:41 | javax.net.ssl.SSLHandshakeException: no cipher suites in common INFO | jvm 1 | 2015/03/06 16:49:41 | %% Invalidated: [Session-10, SSL_NULL_WITH_NULL_NULL] INFO | jvm 1 | 2015/03/06 16:49:41 | qtp530732685-1383, SEND TLSv1 ALERT: fatal, description = handshake_failure INFO | jvm 1 | 2015/03/06 16:49:41 | qtp530732685-1383, WRITE: TLSv1 Alert, length = 2 INFO | jvm 1 | 2015/03/06 16:49:41 | qtp530732685-1383, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
asked
2 answers
0

As far as I'm aware Mendix doesn't enforce any specific ciphers for ssl connections.

I presume this is about calling a webservice from Mendix, this should be as easy as just loading your private key into the Mendix keystore (with its password). When Mendix/Java setup the SSL connection it should automatically grab the correct certificate from the keystore for authentication.

This should allow for the same certificate types and ciphers as are supported by Java.
So that should be the list from this page: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites

When looking at that overview, and comparing it whit your list I can tell that all methods are supported in Java7. However as you can see in the table, Java 6 supports none of those methods. Mx4 runs by default on Java6, so if you are using Java6 that would be your issue.
I haven't run Mx4 on Java7 myself, but the option is available in the cloud portal to choose to use Java7 on a Mendix4 app. So that does mean that this should work with the technology.

answered
0

While Java 7 (as Jasper mentions) does support TLS 1.2, for compatibility reasons it is disabled by default for client sockets, which are used to call web services. See this oracle blog for more information.

Can you try the command line option "-Ddeployment.security.TLSv1.2=true"? That should enable TLS1.2 support for Java 7 client sockets.

answered