Cisco IPS Event Collector fails to collect events and logs an SSLHandshakeException on SSIM 4.8

book

Article ID: 157881

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

When trying to pull logs over port 443 with the Cisco IPS Event Collector terminates the connection with an SSLHandshakeException.

Cause

This issue occurs in SSIM 4.8 where Java is upgraded from 1.6.0.x to 1.7.0.x 

  • The Sun/Oracle JRE or OpenJDK doesn't support SSLv2.
  • However , some SSL/HTTPS servers (particular the Cisco IPS end point that we use to collect logs from) require the SSL Client Hello messages of an SSL handshake to be compatible with SSLv2.
  • Java 6 wraps an SSLv3+ message into an SSLv2 message. Hence the SSLv2Hello client handshake was happening successfully.
  • In Java 7 , the ability to wrap an SSLv3+ message into an SSLv2 message is disabled by default. Hence this resulted into an SSLHandshake failure which caused the collector to stop.

 

Resolution

-Djsse.enabledSNIExtension\=false -Dhttps.protocols\=SSLv2Hello,TLSv1  
  1.  Add the below properties to the Agent params in ses_work.properties file. 
  2. Add to the end of the System.AgentParams line the property  -Djsse.enabledSNIExtension\=false

    It would look something like below statement.
    System.AgentParams=-XX\:NewRatio\=3 -Xmx512m -Dnetworkaddress.cache.ttl\=300 -Djsse.enabledSNIExtension\=false -Dhttps.protocols\=SSLv2Hello,TLSv1


  3. Save the ses_work.properties file.
  4. Restart the Event Agent.

The property -Djsse.enabledSNIExtension\=false will disable the SNI extension.