TSL error when calling a WebService over ssl/https

In one of my projects recently, even after importing the correct ssl certificates in the keystore (cacerts and DemoTrust.jks) on the weblogic server, when accessing the webservice over https gave an error.

javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE alert received from example.com - 172.16.250.58. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings.

After doing some research i found that the error was related to the protocol mismatch. i.e. the webservice did not support sslv3 it only supported TLS.

To solve the problem, i put the following in the server start tab of the WebLogic Managed Server from where my application was calling the web service.

-Dweblogic.security.SSL.protocolVersion=TLS1

This property value enables any protocol starting with “TLS” for messages that are sent and accepted; for example, TLS V1.0, TLS V1.1, and TLS V1.2
Other accepted values are SSLv3, TLSv1, TLSvx.y.

Reference: https://docs.oracle.com/middleware/1213/wls/SECMG/ssl_version.htm#SECMG635

Above is the final thing that worked. We also faced the issue in JDeveloper when consuming the web service. The equivalent of the above in JDeveloper is

-Dhttps.protocols=TLSv1

For Debugging SSL in JDeveloper, use the below

-Djavax.net.debug=ssl

To solve this issue, there are few more things that i figured out and wanted to put out so that it is helpful to me and other in future.

Since the error also pointed something related to hostname verification, i have also tried putting the following parameter to disable hostname verification:

-Dweblogic.security.SSL.ignoreHostnameVerification=true

Use the following command-line properties to enable SSL debugging:

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

———————————————————————-

Other options:

Use this option to turn off checking for the Basic Constraints extension. The rest of the certificate is still validated.
-Dweblogic.security.SSL.enforceConstraints=off

Leave a Reply

Your email address will not be published. Required fields are marked *