Overview
Details

Problem Scenario


When a client application uses SSLv3 to communicate with a server application using IBM Java 7.0, 7.1, or Java 8.0,
the client application may generated errors similar to:

2016-10-18 13:25:56,040 WARN - 100: Failed to establish connection to the URL
[https://xxxxxxxxxxxxxxxx.com/xxxxxxxx/xxxxxxx] using protocol [TLSv1]
javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at com.ibm.jsse2.j.a(j.java:42)
at com.ibm.jsse2.j.a(j.java:21)
at com.ibm.jsse2.qc.b(qc.java:659)
at com.ibm.jsse2.qc.a(qc.java:396)
at com.ibm.jsse2.qc.h(qc.java:275)
at com.ibm.jsse2.qc.a(qc.java:541)
at com.ibm.jsse2.qc.startHandshake(qc.java:89)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:173)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:63)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1105)
at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:47)
at com.mdi.core.https.service.HttpsMessage.Send(HttpsMessage.java:236)
at com.mdi.core.https.service.HttpsMessage.Send(HttpsMessage.java:147)
at com.mdi.core.https.service.HttpsConsumer.processWork(HttpsConsumer.java:24)
at com.mdi.core.workmgmt.Consumer.run(Consumer.java:136)
at java.lang.Thread.run(Thread.java:798)

Solution

SSLv3 is considered insecure and the general trend is to move away from SSLv3 towards TLS 1.0 or higher.
Here is the link to IBM Java protocols and cipher suites on the Knowledge Center website:

https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/protocols.html

*If you desire to use an SSLv3 hello to send to a server using IBM Java7, IBM Java7.1, or IBM Java 8, one can use an SSLv3 hello encapsulated in a SSLv2 format hello (see table 1 on the webpage at the link above).


Newer releases of IBM Java 7.0, 7.1, and 8.0 have SSLv3 and weak ciphers disabled by default.

In older releases, these options were enabled by default build were disabled as a result of several
security vulnerabilities such as the Poodle Vulnerability (click here for details associated with the
Poodle CVE, as well as the protocols enabled in the different versions of Java:

https://www-01.ibm.com/support/docview.wss?uid=swg21688165

References

Additional Java Security Documentation:

Here is a link to the Java7 security guide:
http://www.ibm.com/support/knowledgecenter/en/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/security-overview.html

Information about IBM SDK policy files:
http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/sdkpolicyfiles.html

Download Unrestricted JCE Policy files:
https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=jcesdk&lang=en_US

Section 5

Section 6

Section 7

Section 8

Section 9

Section 10

Section 11

Section 12

Section 13

Section 14

Section 15

Section 16

Section 17

Section 18

Section 19

Section 20

Section 21

Document Type: Technical Document
Content Type: General
Hardware: all Power
Operating System: all AIX Versions
IBM Java: all Java Versions
Author(s): Christopher C. D. Peters
Reviewer(s): Roger Leuckie
Click here to submit feedback for this document.