Cisco IPS Event Collector fails to collect events and logs an SSLHandshakeException on SSIM 4.8


Article ID: 157881


Updated On:


Security Information Manager


When trying to pull logs over port 443 with the Cisco IPS Event Collector terminates the connection with an SSLHandshakeException.


This issue occurs in SSIM 4.8 where Java is upgraded from 1.6.0.x to 1.7.0.x 

  • The Sun/Oracle JRE or OpenJDK doesn't support SSLv2.
  • However , some SSL/HTTPS servers (particular the Cisco IPS end point that we use to collect logs from) require the SSL Client Hello messages of an SSL handshake to be compatible with SSLv2.
  • Java 6 wraps an SSLv3+ message into an SSLv2 message. Hence the SSLv2Hello client handshake was happening successfully.
  • In Java 7 , the ability to wrap an SSLv3+ message into an SSLv2 message is disabled by default. Hence this resulted into an SSLHandshake failure which caused the collector to stop.



-Djsse.enabledSNIExtension\=false -Dhttps.protocols\=SSLv2Hello,TLSv1  
  1.  Add the below properties to the Agent params in file. 
  2. Add to the end of the System.AgentParams line the property  -Djsse.enabledSNIExtension\=false

    It would look something like below statement.
    System.AgentParams=-XX\:NewRatio\=3 -Xmx512m -Dnetworkaddress.cache.ttl\=300 -Djsse.enabledSNIExtension\=false -Dhttps.protocols\=SSLv2Hello,TLSv1

  3. Save the file.
  4. Restart the Event Agent.

The property -Djsse.enabledSNIExtension\=false will disable the SNI extension.