1

I'm having issues to connect to a sybase DB using TLSv1.2. It throws error: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

If I remove "TLSv1, TLSv1.1" from param "jdk.tls.disabledAlgorithms " in java.security file I get no errors, my java testing class works fine and retrieves some data from the DB (handshake message shows client version TLSv1).

But if I disable again TLSv1, TLSv1.1 and run SSLPoke, everything it works fine, I can see a ClientHello / ServerHello with value "TLSv1.2" in "client version".

I also tried to use a different driver, jTDS (tried 3 different versions: the original jtds-1.3.1.jar and also 2 others I found in the jTDS discussion forum: jtds-1.3.1-patched.jar and jtds-1.3.1-v20140512.jar), but it didn't work at all (got the following error: java.sql.SQLException: I/O Error: DB server closed connection. ). This driver only works if I completely disable SSL.

Did a lot of research but so far I couldn't find a solution for this.

I will try to be as detailed as possible, and I appreciate if someone could point what the issue could be

Java version: (tried with a couple of different version, both 1.8.X)

openjdk version "1.8.0_292"
OpenJDK Runtime Environment (build 1.8.0_292-b10)

jconn4.jar version:

jConnect (TM) for JDBC(TM)/16.0 SP02 PL02 (Build 27276)/P/EBF25374/JDK 1.6.0/jdbcmain/OPT/Fri Oct  9 05:31:52 PDT 2015

JDBCConnect.java (same code for both drivers: jConnect "jconn4.jar" and jTDS "jtds-1.3.1.jar")

import java.io.*;
import java.sql.*;

public class JDBCConnect
{
    public static void main( String args[] )
    {
        try
        {
            Class.forName("com.sybase.jdbc4.jdbc.SybDriver");
            Connection con = DriverManager.getConnection("jdbc:sybase:Tds:mysybasehost:9876/mydatabase?ENABLE_SSL=true&SSL_TRUST_ALL_CERTS=true&ssl=require", "sybaseuser","sybasepwd");
            //Class.forName("net.sourceforge.jtds.jdbc.Driver");
            //Connection con = DriverManager.getConnection("jdbc:jtds:sybase://mysybasehost:9876/mydatabase;user=sybaseuser;password=sybasepwd;trustServerCertificate=true;ssl=require","sybaseuser","sybasepwd");
            System.out.println("connected");
            Statement stmt = con.createStatement();
            ResultSet rs = stmt.executeQuery("select top 1 * from my.table");
            while( rs != null )
            {
                while (rs.next())
                {
                    for( int i = 1;
                         i <= rs.getMetaData().getColumnCount();
                         i++ )
                    {
                        if( i > 1 ) System.out.print(", ");
                        System.out.print(rs.getString(i));
                    }
                    System.out.println();
                }
                if( stmt.getMoreResults() )
                {
                    System.out.println("Hi");
                    rs = stmt.getResultSet();
                }
                else
                {
                    rs.close();
                    rs = null;
                }
            }
            stmt.close();
            con.close();
        }
        catch (Exception e)
        {
            e.printStackTrace();
            System.exit(1);
        }
        System.exit(0);
    }
}

Command line: ( Note: tried with and without " -Djsse.enableCBCProtection=false " )

java -cp .\jconn4.jar;. -Djavax.net.ssl.trustStore=".\cacerts" -Djavax.net.ssl.trustStorePassword=tspwd -Djavax.net.debug=ssl:handshake -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Djsse.enableCBCProtection=false JDBCConnect
javax.net.ssl|FINE|01|main|2022-09-12 10:10:23.085 CDT|SSLCipher.java:438|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|SEVERE|01|main|2022-09-12 10:10:23.301 CDT|TransportContext.java:316|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
        at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98)
        at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428)
        at com.sybase.jdbc4.jdbc.SybSSLSocketFactory.createSocket(SybSSLSocketFactory.java:392)
        at com.sybase.jdbc4.timedio.SocketDbio.doConnect(SocketDbio.java:98)
        at com.sybase.jdbc4.timedio.InStreamMgr.<init>(InStreamMgr.java:109)
        at com.sybase.jdbc4.tds.Tds.login(Tds.java:530)
        at com.sybase.jdbc4.jdbc.SybConnection.tryLogin(SybConnection.java:459)
        at com.sybase.jdbc4.jdbc.SybConnection.handleHAFailover(SybConnection.java:3604)
        at com.sybase.jdbc4.jdbc.SybConnection.<init>(SybConnection.java:372)
        at com.sybase.jdbc4.jdbc.SybConnection.<init>(SybConnection.java:268)
        at com.sybase.jdbc4.jdbc.SybDriver.connect(SybDriver.java:224)
        at java.sql.DriverManager.getConnection(DriverManager.java:664)
        at java.sql.DriverManager.getConnection(DriverManager.java:247)
        at JDBCConnect.main(JDBCConnect.java:11)}

)
javax.net.ssl|FINE|01|main|2022-09-12 10:10:23.304 CDT|SSLSocketImpl.java:1601|close the underlying socket
javax.net.ssl|FINE|01|main|2022-09-12 10:10:23.304 CDT|SSLSocketImpl.java:1620|close the SSL connection (initiative)
java.sql.SQLException: JZ006: Caught IOException: java.io.IOException: JZ0T3 use getCause() to see the error chain
        at com.sybase.jdbc4.jdbc.ErrorMessage.raiseError(ErrorMessage.java:841)
        at com.sybase.jdbc4.jdbc.ErrorMessage.raiseErrorCheckDead(ErrorMessage.java:1174)
        at com.sybase.jdbc4.tds.Tds.handleIOE(Tds.java:5247)
        at com.sybase.jdbc4.tds.Tds.handleIOE(Tds.java:5192)
        at com.sybase.jdbc4.tds.Tds.login(Tds.java:564)
        at com.sybase.jdbc4.jdbc.SybConnection.tryLogin(SybConnection.java:459)
        at com.sybase.jdbc4.jdbc.SybConnection.handleHAFailover(SybConnection.java:3604)
        at com.sybase.jdbc4.jdbc.SybConnection.<init>(SybConnection.java:372)
        at com.sybase.jdbc4.jdbc.SybConnection.<init>(SybConnection.java:268)
        at com.sybase.jdbc4.jdbc.SybDriver.connect(SybDriver.java:224)
        at java.sql.DriverManager.getConnection(DriverManager.java:664)
        at java.sql.DriverManager.getConnection(DriverManager.java:247)
        at JDBCConnect.main(JDBCConnect.java:11)
Caused by: java.io.IOException: JZ0T3
        at com.sybase.jdbc4.jdbc.SybSSLSocketFactory.createSocket(SybSSLSocketFactory.java:397)
        at com.sybase.jdbc4.timedio.SocketDbio.doConnect(SocketDbio.java:98)
        at com.sybase.jdbc4.timedio.InStreamMgr.<init>(InStreamMgr.java:109)
        at com.sybase.jdbc4.tds.Tds.login(Tds.java:530)
        ... 8 more
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
        at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98)
        at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428)
        at com.sybase.jdbc4.jdbc.SybSSLSocketFactory.createSocket(SybSSLSocketFactory.java:392)
        ... 11 more

As suggested in another page, I tried to use some unlimited policy, jce_policy-8 also no luck.

Does anyone know what I'm missing here?

Thank you all in advance.

Ga-M
  • 11
  • 2

0 Answers0