4

A client installed on jBOSS is trying to access a secured website configured on DataPower xi50v6.0.0.2 appliance. The connection is getting failed at SSL handshake.

I have taken a packet capture at DataPower and observed that SSL Handshake is failing with the Description:Handshake failure(40).

However, at the Client Hello step, I have observed that, only one Cipher Suite is specified which is : TLS_EMPTY_RENEGOTIATION_INFO_SCSV. The TLS protocol used ( as per packet capture) is TLS1.1. Can this Cipher Suite be a problem? In the DataPower system logs I can see below error: Request processing failed: Connection terminated before request headers read because of the connection error occurs

Update: The client application is running on jBOSS7.I have asked our jBOSS administrator to check the configuration at jBOSS end. I somehow got the access to server where jBOSS instance is installed and checked domain.xml where the ssl is configured. Where exactly in domain.xml, ths configuration related to cipher suites can be found?

user2607367
  • 225
  • 4
  • 25

1 Answers1

2

I have observed that, only one Cipher Suite is specified which is : TLS_EMPTY_RENEGOTIATION_INFO_SCSV

This is no real cipher. If no other ciphers are specified then the client does not offer any ciphers at all which means that no shared ciphers can be found and thus the handshake will fail. It looks like the client is buggy. Reason might be a failed attempt to fight POODLE attack by disabling all SSL3.0 ciphers, which in effect disables all ciphers for TLS1 1.0 and TLS 1.1.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks Stephen!If it is not a real cipher. Then what exactly is it? – user2607367 Nov 11 '14 at 14:44
  • SCSV are pseudo ciphers. In this case it is used to announce the support for secure renegotiation, see https://www.digicert.com/news/2011-06-03-ssl-renego.htm for a more detailed description. – Steffen Ullrich Nov 11 '14 at 15:06