TSL 1.2 issue with Glassfish 3.1.2.2

Question

I am trying to update TSL to 1.2 on glassfish v3.1.2.2 server, and I have tried for days I got no luck.
when I put below configuration to glassfish

-Djdk.tls.client.protocols=TLSv1.2
or
 -Dhttps.protocols=TLSv1.2

I got following error:

Severe: PWC3989: An exception or error occurred in the container during the request processing
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.
    at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
    at com.sun.jersey.api.client.filter.CsrfProtectionFilter.handle(CsrfProtectionFilter.java:97)
    at com.sun.jersey.api.client.Client.handle(Client.java:648)
    at com.sun.jersey.api.client.filter.HTTPBasicAuthFilter.handle(HTTPBasicAuthFilter.java:81)
    at com.sun.jersey.api.client.WebResource.handle(WebResource.java:670)
    at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
    at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:563)
    at org.glassfish.admingui.common.security.AdminConsoleAuthModule.validateRequest(AdminConsoleAuthModule.java:256)
    at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1171)
    at com.sun.web.security.RealmAdapter.validate(RealmAdapter.java:1452)
    at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1330)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
    at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
    at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
    at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
    at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
    at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
    at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
    at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
    at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
    at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
    at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
    at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
    at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
    at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
    at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.
    at sun.security.ssl.ClientHandshaker.serverHello(ClientHandshaker.java:449)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:203)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:961)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:897)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1033)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1369)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1353)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1139)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
    at com.sun.jersey.client.urlconnection.URLConnectionClientHandler$1$1.getOutputStream(URLConnectionClientHandler.java:225)
    at com.sun.jersey.api.client.CommittingOutputStream.commitWrite(CommittingOutputStream.java:117)
    at com.sun.jersey.api.client.CommittingOutputStream.write(CommittingOutputStream.java:89)
    at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221)
    at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291)
    at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295)
    at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
    at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
    at java.io.BufferedWriter.flush(BufferedWriter.java:254)
    at com.sun.jersey.core.util.ReaderWriter.writeToAsString(ReaderWriter.java:191)
    at com.sun.jersey.core.provider.AbstractMessageReaderWriterProvider.writeToAsString(AbstractMessageReaderWriterProvider.java:128)
    at com.sun.jersey.core.impl.provider.entity.BaseFormProvider.writeTo(BaseFormProvider.java:109)
    at com.sun.jersey.core.impl.provider.entity.FormMultivaluedMapProvider.writeTo(FormMultivaluedMapProvider.java:99)
    at com.sun.jersey.core.impl.provider.entity.FormMultivaluedMapProvider.writeTo(FormMultivaluedMapProvider.java:59)
    at com.sun.jersey.api.client.RequestWriter.writeRequestEntity(RequestWriter.java:300)
    at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:204)
    at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
    ... 32 more

I have to get the update done, due to the update from the payment gateway company. If this does not work, none of the transaction will go through. please help , thank you

this problem is tricky. we have 2 version of glassfish v3 deployed in test and prod. Depends on what version you have, the solution is different. Yes, i have resolved this problem. — Xi Ye, Oct 20 '17 at 16:31
I am using glassfish version 3.1.2.2. It would be great if you can share the solution. — PratapSingh, Oct 20 '17 at 18:55
i wish i could, my solution is at my previous job. now i have no access so i can not give to you. sorry. i could not remember it since it is long time ago and it was tricky. :( — Xi Ye, Oct 23 '17 at 16:07

DrissK · Answer 1 · 2018-08-02T01:57:58.947

0

In short:

this needs Java 8 or Java 7 v1.7.0_131-b31 (which enable by default TLS v1.2 on client sockets)
OR at least Java 7u95 (on which TLS v1.2 should be enabled on client sockets)
Then setup Glassfish for using TLS v1.2

See details at https://stackoverflow.com/a/49523279

edited Aug 02 '18 at 01:57

answered Aug 02 '18 at 01:37

DrissK

31
4

score 0 · Answer 2 · edited Aug 14 '18 at 10:12

0

I had a similar issue even while using Java 8. After a bit of debugging, I found that there are some security enhancements done in Java 8 after build 65, which were causing the issue. The server was using TLS v1 while it was disabled into client side.so, I did override the property

  Security.setProperty("jdk.tls.disabledAlgorithms","");

edited Aug 14 '18 at 10:12

enkor

7,527
3
31
55

answered Aug 14 '18 at 09:53

Subodh Karwa

2,495
1
15
13

score 0 · Answer 3 · answered Aug 19 '20 at 06:58

I am using java 8 for this you need to write jre-1.8 = $ {jre-1.7} at the bottom of the osgi.properties file .\glassfish3\glassfish\config.

Then you need to edit domain.xml \glassfish3\glassfish\domains\DOMAIN_NAME\config add tls-enabled = "false" tls11-enabled = "false" tls12-enabled = "true" to the ssl tag in your http-listener.

Details about edit domain.xml

score 0 · Answer 4 · answered Dec 05 '22 at 22:44

The following worked for me:

upgraded to Java 8u341
applied the patch mentioned here by copying the patched grizzly-config.jar (from here) into <GF3_INSTALL>/glassfish/modules/
added -Dhttps.protocols=TLSv1.2 to the server JVM Options
restarted the server

TSL 1.2 issue with Glassfish 3.1.2.2

4 Answers4

Linked