IBM Java and TLS

0 votes
Our java application runs on WebSphere 8.5.5 and IBM Java 1.8 When attempting to connect to OneSpan the TLS Cipher negotiation is resulting in dropping down to TLS 1 which OneSpan then rejects. So in the java sdk com.silanis.esl.sdk.internal.Client.java
 protected SSLConnectionSocketFactory buildSSLSocketFactory() throws HttpException {

        try {

            SSLContext sslContext = SSLContext.getInstance("SSL");

Is causing TLS negotiation to fail on the IBM Java runtime. there is a workaround here however this affects ALL apps running on the appserver. Seems the behaviour is the same for "SSL" and "TLS". Ideally the protocol enabled would be configuration in some manner. As the JDK won't work on the IBM JDK with default settings. This doesn't appear to be the case but I could be missing something. Hard to imagine there aren't folks calling OneSpan from WebSphere on the IBM Java runtime... might there be an alternative to the above flag, or rebuilding the library ourselves specifying
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
? thanks, Rob

Reply to: IBM Java and TLS

0 votes
Hi Rob, I need some time to reproduce the same environment as you have, but if you want to change the SDK source code and have a quick try on potential fixes (although it's not very suggested), you don't actually need to rebuild the SDK jar, you can create a same package with same class name, copy paste all codes from the original class, and then do the modification. Your local customized class will have a higher priority for JVM. See below screenshot: In buildSSLSocketFactory() function, you can also give below code a try:
//    	SSLContext sslContext = SSLContexts.createDefault();
//    	SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,
//    	        new String[]{"TLSv1.2"},
//    	        null,
//    	        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Tell me whether this works for you! I will also have a try at my side. Duo

Duo Liang OneSpan Evangelism and Partner Integrations Developer

Reply to: IBM Java and TLS

0 votes
Thanks, definitely something to try.

Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off