0 Replies Latest reply on Nov 4, 2014 5:11 PM by Dimitri Sudjin

    BSA 8.5.01 Patch 2 web services fail from Windows Server

      The BSA environment is on 8.5.01 Patch 2. This is not an issue on 8.3.03, because TLS v1.2 is not used.


      All attempts to establish a TLS v1.2 connection from a Microsoft .NET development or runtime environment on Windows 2012 R2 Server Standard Edition to BBSA web services on port 9843 result in a handshake failure. For example, as a simple test, if Internet Explorer with TLS 1.2 enabled is used to retrieve WSDL via a call to https://xxx.xxx.xxx.xxx:9843/services/CLITunnelService?wsdl, a Wireshark trace reveals that a handshake failure has occurred. If a Firefox browser is used to access the same URL from the same client, the connection is successfully established using TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) cipher suite. This suite is not supported by Windows when TLS v1.2 is used.


      Because of well-known security vulnerabilities of TLS v.1.0, we would like to retain TLS v.1.2 on BBSA.

      Could anyone share information on the Tomcat configuration in this release and which ciphers are enabled? Are any of these supported by Windows SCHANNEL on Windows 2012 R2? If not, Microsoft development is disabled by this issue.