Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15550

Limiting OpenAM to TLSv1.2 with java.security causes SSL handshake errors

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 13.5.2
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Rank:
      1|hzz99r:
    • Support Ticket IDs:

      Description

      Bug description

      Limiting the JVM to TLSv1.2 through the use of the java.security file creates SSL handshake errors in OpenAM13.5.2 when using Java version 1.8.0_192 and above

      This seems to be related to https://bugster.forgerock.org/jira/browse/OPENAM-14986 but is slightly different and may be seen as a regression as it works ok in 13.5.0

      How to reproduce the issue

      Install Java version 1.8.0_192 or above

      Set java.security settings with the following line to restrict TLSv1.2 - 

      jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
         EC keySize < 224, TLSv1, TLSv1.1, DESede, 3DES_EDE_CBC, anon, NULL
      

      Install OpenAM 13.5.2 with default setup

      Enable JVM debugging (-Djavax.net.debug=all)

      Restart AM and observe errors in the catalina.out log - 

      javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

      This worked in AM13.5.0, where a connection is made with - 

      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 

      Expected behaviour
      Able to connect with TLSv1.2
      Current behaviour
      Unable to connect over TLSv1.2 to any LDAP target
      

      Work around

      Downgrade Java or use AM13.5.0/13.5.1

      Code analysis

      Appears to work if the line "sb.setProtocol("TLS")" is used in the client code

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                robert.matthews Robert Matthews
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: