as2 file send works with partners that can do tls, but fails for those still using sslv3

You are here

as2 file send works with partners that can do tls, but fails for those still using sslv3

4 posts / 0 new
Last post
DavidSharman
DavidSharman's picture
as2 file send works with partners that can do tls, but fails for those still using sslv3

Hello,

We're having an odd problem where we have a dozen or so partners configured. Some of them can respond to our initiating an as2 transfer when we start by using TLS. But, instead when we try to send to a partner that still uses older software that only knows SSLv3, we get an ssl handshake error. we are still using the mendelson as2 1.1 software that appears to have jetty v6 embedded.

I was under the impression that the software would fall back to sslv3 if the other end couldn't deal with tls. but this doesn't appear to happen. The configuration as we have it used to work with the sslv3 clients.

Any thoughts?

Dave.

DavidSharman
DavidSharman's picture

Ok... this now works...

it turns out that our handy dandy unix group did a bunch of patches, including... java 1.7_u75, which among other things, disables sslv3...

thus causing the problems with our sslv3 customers.

and naturally, they didn't tell us about the patches they were doing.

DavidSharman
DavidSharman's picture

Ok... this now works...

it turns out that our handy dandy unix group did a bunch of patches, including... java 1.7_u75, which among other things, disables sslv3...

thus causing the problems with our sslv3 customers.

and naturally, they didn't tell us about the patches they were doing.

service
service's picture

DavidSharman,

thank you very much for this information! I think that that will affect many customers in the near future because many AS2 systems still do not support TLS.

The settings in the jetty.xml to diable SSLv3 as described in http://community.mendelson-e-c.com/node/2905 will permit SSLv3 only for inbound connections - it is currently required to support SSLv3 for outbound connections because of compatibility issues.

In the release notes of the java version you refer (http://www.oracle.com/technetwork/java/javase/7u75-relnotes-2389086.html...) there is a hint do manually enable SSLv3 as it is disabled by default:

7u75 Update Release Notes wrote:

New Features and Changes

SSLv3 is disabled by default

Starting with JDK 7u75 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. See the java.security.Security property jdk.tls.disabledAlgorithms in /lib/security/java.security file.

If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.

It should be noted that SSLv3 is obsolete and should no longer be used.
Changes to Java Control Panel

Starting with 7u75 release, SSLv3 protocol is removed from Java Control Panel Advanced options.

If the user needs to use SSLv3 for applications, re-enable it manually as follows:

Enable SSLv3 protocol on JRE level: as described in the previous section.
Enable SSLv3 protocol on deploy level: edit the deployment.properties file and add the following:

deployment.security.SSLv3=true

Thanks again, useful hint!
Regards