{"id":432,"date":"2014-05-05T19:33:26","date_gmt":"2014-05-05T18:33:26","guid":{"rendered":"http:\/\/www.simweb.ch\/blog\/?p=432"},"modified":"2014-05-05T19:33:26","modified_gmt":"2014-05-05T18:33:26","slug":"java-webstart-and-tls-1-0-oh-why","status":"publish","type":"post","link":"https:\/\/www.simweb.ch\/blog\/2014\/05\/java-webstart-and-tls-1-0-oh-why\/","title":{"rendered":"Java WebStart and >= TLS 1.0 – oh why…"},"content":{"rendered":"

An awful lot of security issues has lead Oracle to tighten things when it comes to Java WebStart as it is used in an awful lot of KVM over IP solutions. Some of those systems are even very picky on the Java version used. *blimey*<\/p>\n

Now I had those shiny new IBM SystemX x3650 m4 and a x3550 m4 that I was exploring when I was documenting settings for their remote service processor. In IBM (soon Lenovo?) SystemX M4 series this thing is called IMM2 (Integrated Management Module 2) and once you have installed it with a (not so cheap) license key you get a shiny remote KVM ability.<\/p>\n

I was unfortunate to look at the documentation and to discover the CLI parameter 'tls':<\/p>\n

system> help tls\r\n\r\n  usage:\r\n   tls [-options] - configures the minimum TLS level\r\n   -min <1.0 | 1.1 | 1.2> - Selects the minimum TLS level\r\n   -h - Lists usage and options\r\n\r\nsystem> tls\r\n-min 1.0<\/pre>\n
So I though: \"TLS 1.0 is aging let's at least bump it to 1.1\". - Until that moment the remote management capability worked pretty well beyond some random Java quircks. But unfortunately I tried out a couple of settings so at first it wasn't obvious that it was due to this that Java stopped loading the Avocent KVM over IP applets and instead got greeted by this:<\/p>\n
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake\r\n\tat sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)\r\n\tat sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)\r\n\tat sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)\r\n\tat sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)\r\n\tat sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)\r\n\tat sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)\r\n\tat sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)\r\n\tat sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)\r\n\tat com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)\r\n\tat com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)\r\n\tat com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)\r\n\tat com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)\r\n\tat com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)\r\n\tat com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)\r\n\tat com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)\r\n\tat com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)\r\n\tat java.util.concurrent.FutureTask.run(Unknown Source)\r\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\r\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\r\n\tat java.lang.Thread.run(Unknown Source)\r\nCaused by: java.io.EOFException: SSL peer shut down incorrectly\r\n\tat sun.security.ssl.InputRecord.read(Unknown Source)\r\n\t... 20 more<\/pre>\n
OK, why did that happen - I though TLS 1.1 was supported by Java 7 for som time now- right?<\/p>\n