I am in the middle of a project to update my application's code base from Java 1.6 to Java 1.8, and something I did is causing the following error when I try to connect to the database:
DataSource Configuration: DSRA8040I: Failed to connect to the DataSource jdbc/TIRDB. Encountered java.sql.SQLException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server did not return a response. The connection has been closed. ". DSRA0010E: SQL State = 08S01, Error Code = 0.
I am using Websphere 8.5.5.9 and sqljdbc4, and the database was recently updated to SQL server 2017.
Solutions I have already tried:
- adding "-Dcom.ibm.jsse2.overrideDefaultTLS=true" to the JVM arguments
- updating the sqljdbc driver to 8.4
- Modifying the java.security file to remove 3DES_EDE_CBC
If I've left out any important information please let me know, I can edit the post.
EDIT:
I added the following JVM command to gain more information: -Djavax.net.debug=ssl:handshake:verbose
In the logs I see the following information:
[1/19/21 12:20:43:698 CST] 0000004a SystemOut O *** ClientHello, TLSv1 [1/19/21 12:20:43:698 CST] 0000004a SystemOut O RandomCookie: GMT: 1611080187 bytes = { 202, 165, 173, 127, 167, 84, 140, 203, 125, 176, 234, 88, 28, 249, 55, 235, 125, 139, 218, 189, 60, 181, 119, 214, 251, 102, 209, 42 } [1/19/21 12:20:43:700 CST] 0000004a SystemOut O Session ID: {} [1/19/21 12:20:43:700 CST] 0000004a SystemOut O Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA] [1/19/21 12:20:43:700 CST] 0000004a SystemOut O Compression Methods: { 0 } [1/19/21 12:20:43:700 CST] 0000004a SystemOut O Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1} [1/19/21 12:20:43:700 CST] 0000004a SystemOut O Extension ec_point_formats, formats: [uncompressed] [1/19/21 12:20:43:700 CST] 0000004a SystemOut O *** [1/19/21 12:20:43:701 CST] 0000004a SystemOut O server.startup : 2, WRITE: TLSv1 Handshake, length = 109 [1/19/21 12:20:43:730 CST] 0000004a SystemOut O server.startup : 2, called close() [1/19/21 12:20:43:730 CST] 0000004a SystemOut O server.startup : 2, called closeInternal(true) [1/19/21 12:20:43:730 CST] 0000004a SystemOut O server.startup : 2, SEND TLSv1.2 ALERT: warning, description = close_notify [1/19/21 12:20:43:730 CST] 0000004a SystemOut O server.startup : 2, WRITE: TLSv1.2 Alert, length = 2 [1/19/21 12:20:43:730 CST] 0000004a SystemOut O server.startup : 2, called closeSocket(true) [1/19/21 12:20:43:730 CST] 0000004a SystemOut O server.startup : 2, waiting for close_notify or alert: state 5 [1/19/21 12:20:43:731 CST] 0000004a SystemOut O server.startup : 2, received EOFException: ignored [1/19/21 12:20:43:731 CST] 0000004a SystemOut O server.startup : 2, called closeInternal(false) [1/19/21 12:20:43:731 CST] 0000004a SystemOut O server.startup : 2, close invoked again; state = 5 [1/19/21 12:20:43:731 CST] 0000004a SystemOut O server.startup : 2, handling exception: java.io.IOException: SQL Server did not return a response. The connection has been closed. ClientConnectionId:e3180c28-baa6-4741-8359-008575b697b3 [1/19/21 12:20:43:731 CST] 0000004a SystemOut O server.startup : 2, called closeSocket() Blockquote
I think this indicates my server is still using TLSv1, even though the database is set up to only accept TSL1.2. I have tried adding JVM commands -Djdk.tls.client.protocols=TLSv1.2 and -Dhttps.protocols=TLSv1.2 to force it to use TLSv1.2 but it did not change.