Sending to an AS2 server is failing because of the SSL Cipher being used

Document created by RaphaelRivero Employee on Feb 2, 2016Last modified by ruchika_yadav on Mar 1, 2016
Version 2Show Document
  • View in full screen mode
Sending a document via AS2 is failing with the following stack trace.

 

com.boomi.connector.ConnectorException: Error sending message to AS2 Server
at com.boomi.connector.as2.AS2Send.handle(AS2Send.java:502)
at com.boomi.connector.as2.AS2Send.send(AS2Send.java:166)
at com.boomi.connector.custom.CustomSendConnectorAction.invoke(CustomSendConnectorAction.java:60)
at com.boomi.connector.base.BaseConnectorAction.invokeBase(BaseConnectorAction.java:275)
at com.boomi.connector.base.BaseConnectorAction.invoke(BaseConnectorAction.java:214)
.
[removed lines]
.
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: Received fatal alert: internal_error
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.boomi.connector.as2.AS2Send.handle(AS2Send.java:463)
... 58 more

 

SSL debug on the atom was enabled to determine more information.

 

1. Stop atom
2. Edit the atom/bin/atom.vmoptions file. Add the following line to the end of the file:

 

-Djavax.net.debug=ssl

 

3. Save the file
4. Restart the atom.

 

When debug was enabled, the following can be seen in the container logs that shows the cipher suites that are being used in the SSL handshake.

 

Feb 2, 2016 1:27:19 PM CST STDOUT  [sun.security.ssl.HandshakeMessage$ClientHello print] Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
We know the server's preferred cipher is TLS_DHE_RSA_WITH_AES_128_CBC_SHA and it is included in the list of cipher suites in the SSL handlshake but what is happening here is that in the negotiation, the TLS_DHE_RSA_WITH_AES_256_CBC_SHA cipher is being used because this is a more secure cipher.  In order to use the TLS_DHE_RSA_WITH_AES_128_CBC_SHA cipher, you will need to place this before the TLS_DHE_RSA_WITH_AES_256_CBC_SHA and you can do this in the atom.vmotions file with the following procedure.

 

1. Open the <installation_directory>/bin/atom.vmoptions file.
2. Add the following line with the supported ciphers you would like to use.  The list below is still keeping the same ciphers and just moving TLS_DHE_RSA_WITH_AES_128_CBC_SHA higher in priority.

 

-Dhttps.cipherSuites=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, ...

 

NOTE: ... is the continued list of all cipher suites listed in the logs

 

3. Save the atom.vmoptions file and restart the atom.

 

Run your process again and this will now use the cipher prioritization you have indicated in the atom.vmoptions file.

Attachments

    Outcomes