SOAP Web service not accepting the request because of incompatible TLS

Question

I'm trying to make a third-party SOAP service call that uses HTTPS from local (development environment) AEM 5.6.1. The SOAP service accepts the requests with a minimum TLS Protocols of TLSv1.1. I have AEM 5.6.1 that uses JDK7 and for JDK7 the default TLSv1. To achieve the minimum acceptable TLS. I tried the below two approaches:

Approach 1: Made AEM start with -Dhttps.protocols=TLSv1.2

Approach 2: Updated the SSLContext to update TLS.

SSLContext context = null;
try {
    context = SSLContext.getInstance("TLSv1.2");
    context.init(null, null, new java.security.SecureRandom());
    SSLContext.setDefault(context);
    LOGGER.info("Currecnt TLS:" + SSLContext.getDefault().getProtocol());
}catch (Exception e){
    LOGGER.error("Error while updating TLS:",e);
}

First one doesn't work will, but the other one to update the TLS protocol for AEM to TLSv1.2.

But I'm still unable to access the service. The error remains the same.

Error:

The required TLS connection level has not been met.  SSL Protocol level: TLSv1

Reference:

I would like to know 2 things here,

Am'I missing anything that is stopping the proper TLS update.
Is there any way to update the TLS only for this particular service, instead of changing it globally.

Thanks

Please post the error message and the code used to connect to the remote party — Raffaele, Mar 23 '17 at 22:35
@Raffaele I have updated the description with the error. But this is the customized error from the third-party service. — phemanthkumar28, Mar 24 '17 at 00:30
It's not enough. We need to see how the HTTP library is called. The full stack trace would help to understand how to configure your stack — Raffaele, Mar 24 '17 at 07:38

score 1 · Accepted Answer · answered Mar 24 '17 at 10:55

1

This is a bug in CQ 5.5/5.6. The core issue boils down to the fact that in older CQ version SSLv3 was not allowed to be disabled by config and therefore TLS parameters never took effect.

You need to contact Daycare support and ask for a hotfix for your version.

Alternatively, check out this HF from your package share account: HOTFIX-5220 as this may have the fix for your TLS issue.

AEM 6.0 released a hotfix for this issue available via package share. Use your login and search for HOTFIX-5238 under 6.0 and ask Daycare for a back port or a compatible package for your version of AEM if the above mentioned hot fix does not work for you.

answered Mar 24 '17 at 10:55

Imran Saeed

3,414
1
16
27

Thank you. The information was very helpful. I would indeed like to have something like HOTFIX-5238 that's available in AEM 6.0. – phemanthkumar28 Mar 27 '17 at 13:30
Glad I could help. Mark as answer if you think this qualifies as an answer. – Imran Saeed Mar 27 '17 at 13:32

SOAP Web service not accepting the request because of incompatible TLS

1 Answers1