SSL exception Handshake failure for OAuth

book

Article ID: 196305

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

Dear Support Team,

We have an application which uses OIDC/OAuth with Siteminder. Upon accessing the application it gives a "500 - Internal Error occurred while trying to process the request" error. When we search the logs, we see below handshake failure on SSL exception. There is an another environment for the same application integrated with Siteminder, but its working fine. It uses same SSL certificate and both these environments are integrated with same Siteminder environment. We dont have a clue why this is happening. Need your help in understanding and resolving this issue.

[06/23/2020][09:46:00][1520][7064][15fe9356-88a04148-4b6b6db4-c5414440-f7c87c9e-60ad][MessageDispatcher.java][dispatchMessage][Exception: javax.net.ssl.SSLException: Fatal Alert received: Handshake Failure. at com.rsa.sslj.x.aG.a(Unknown Source) at com.rsa.sslj.x.aG.a(Unknown Source) at com.rsa.sslj.x.aG.a(Unknown Source) at com.rsa.sslj.x.ap.c(Unknown Source) at com.rsa.sslj.x.ap.a(Unknown Source) at com.rsa.sslj.x.ap.i(Unknown Source) at com.rsa.sslj.x.ap.h(Unknown Source) at com.rsa.sslj.x.aR.startHandshake(Unknown Source) at com.rsa.ssl.SSLSocket.getOutputStream(Unknown Source) at com.netegrity.srca.connection.SSLHandler.startSession(SSLHandler.java:339) at com.netegrity.srca.Srca.invoke(Srca.java:336) at com.netegrity.srca.Srca.invoke(Srca.java:269) at com.netegrity.srca.Srca.invoke(Srca.java:362) at com.netegrity.srca.Srca.invoke(Srca.java:269) at com.netegrity.srca.Srca.invoke(Srca.java:362) at com.netegrity.srca.Srca.invoke(Srca.java:269) at com.netegrity.srca.Srca.invoke(Srca.java:362) at com.netegrity.srca.Srca.invoke(Srca.java:269) at com.netegrity.srca.Srca.invoke(Srca.java:362) at com.netegrity.srca.Srca.invoke(Srca.java:269) at com.netegrity.srca.Srca.invoke(Srca.java:362) at com.netegrity.affiliateminder.webservices.MessageDispatcher.a(DashoA10*..:423)

Thanks
Madan

Cause

The following WEAK ciphers had been removed from the environment:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xc014)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x39)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CCM_8
TLS_RSA_WITH_AES_256_CCM
TLS_RSA_WITH_ARIA_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CCM_8
TLS_RSA_WITH_AES_128_CCM
TLS_RSA_WITH_ARIA_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMLLEIA_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMLLEIA_128_CBC_SHA
TLS_DHE_rsa_WITH_SEED_CBC_SHA
TLS_RSA_WITH_seed_CBC_SHA

 

Environment

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

The following weak cipher needed to be added back to get Siteminder with OAuth to work again:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

###### SUMMARY ######

Removing 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA'  is not supported.  This is in our core layer, from where all the communication happen for Oauth to backchannel.

disabling this will cause failure in functionality.