Server's secure-socket-protocol property value of TLS causes SSL connection failure starting in JBoss ON 3.3 Update-04

Solution Verified - Updated

Environment

  • Red Hat JBoss Operations Network (ON) 3.3.4
  • Attempt to access JBoss ON user-interface (UI) through https protocol -- For example: https://jbosson.example.com:7443

Issue

  • After update to 3.3 Update-04 (3.3.4) server does not answer over SSL even though https interface is initialized

  • SSL_ERROR_NO_CYPHER_OVERLAP or ERR_SSL_VERSION_OR_CIPHER_MISMATCH error shown in browser when attempting https connection

  • server.log shows:

      WARN  [org.apache.tomcat.util] (MSC service thread 1-4) JBWEB003106: Unsupported protocol TLS
  WARN  [org.apache.tomcat.util] (MSC service thread 1-4) JBWEB003106: Unsupported protocol TLS

Resolution

Beginning in JBoss ON 3.3 Update-05, the default value has been updated to resolve this issue.

If you are using a user-defined socket protocol value or are unable to upgrade, you will need to change the rhq.server.tomcat.security.secure-socket-protocol property value from TLS to TLSv1,TLSv1.1,TLSv1.2.

For example, in rhq-server.properties:

Invalid SettingValid Setting
rhq.server.tomcat.security.secure-socket-protocol=TLSrhq.server.tomcat.security.secure-socket-protocol=TLSv1,TLSv1.1,TLSv1.2

Once the changes have been made, save the rhq-server.properties file and restart the JBoss ON server. You will need to repeat this for all JBoss ON server's.

Note, the value TLS is valid for the rhq properties rhq.communications.connector.security.secure-socket-protocol and rhq.server.client.security.secure-socket-protocol so no modification is required. However, if desired, the value can be changed to a single value such as TLSv1.2. List values are not valid for these properties.

Root Cause

The protocol setting of TLS is, and always has been, invalid. Prior to JBoss ON 3.3 Update-04 (3.3.4) an invalid value would result in the JVM's default protocols being used.

JBoss ON 3.3 Update-04 (3.3.4) was re-based on JBoss Enterprise Application Platform (EAP) 6.4. As of EAP 6.4, protocol parsing was made to be more strict resulting in invalid protocols being rejected and no default being used.

For more details see Red Hat Knowledge Solution "JBWEB003106: Unsupported protocol TLS" on EAP 6.4.

This issue has been reported in This content is not included.Red Hat Bugzilla 1277389.

SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.