SSL handshake failure during reverse replication in VCDA 4.6 due to TLS version incompatibility
search cancel

SSL handshake failure during reverse replication in VCDA 4.6 due to TLS version incompatibility

book

Article ID: 389027

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • This issue is commonly faced in VCDA 4.6 involves a failed reverse replication for a failed-over VM, accompanied by the error message "generic error during SSL handshake."
  • This issue is typically caused by TLS version incompatibility, which disrupts the secure SSL communication between the appliances involved in replication.
  • You may see a similar error in the cloud.logs as shown below:

2025-01-29 11:34:17.840 WARN - org.apache.tomcat.util.net.SSLUtilBase:
"The JSSE TLS 1.3 implementation does not support post-handshake authentication (PHA) and is incompatible with optional certificate authentication"

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware Cloud Director Availability 4.6.x

Cause

The root cause of this issue is identified as a TLS version incompatibility between the appliances involved in replication. This incompatibility can occur when post-handshake authentication is not supported or when the TLS version mismatch prevents the establishment of a secure SSL connection. VCDA 4.6 users may experience this issue when newer versions of TLS (such as TLS 1.3) are used, which may not be fully supported across all appliances.

Resolution

To resolve the SSL handshake error:

Check SSL/TLS Configuration:

  • Modify the SSL/TLS settings to either disable post-handshake authentication or switch to a compatible authentication method.
  • Alternatively, downgrade to TLS 1.2, which supports post-handshake authentication and is widely compatible.

To downgrade the SSL/TLS version, follow the steps inline:

For the Manager Appliance:

  • SSH into the manager appliance.
  • Stop the cloud and manager services using the following command:
  • systemctl stop cloud.service manager.service
  • Edit the application.properties file located at /opt/vmware/h4/cloud/config/application.properties and /opt/vmware/h4/manager/config/application.properties.
  • Add the following line below the existing commented-out line:
  • https.endpoint.protocols=TLSv1.2
  • Reload the systemd daemon and restart the services:
  • systemctl daemon-reload systemctl restart cloud.service manager.service

For Replicator & Tunnel Appliances:

  • SSH into the respective appliance.
  • Edit the corresponding configuration file:
  • For Tunnel Appliance: /opt/vmware/h4/tunnel/config/application.properties
  • For Replicator Appliance: /opt/vmware/h4/replicator/config/application.properties
  • Add the line https.endpoint.protocols=TLSv1.2 below the existing commented-out line:
  • https.endpoint.protocols=TLSv1.2
  • Reload the systemd daemon and restart the services:
  • systemctl daemon-reload systemctl restart tunnel.service (or replicator.service)

Log into the Provider Portal and verify that no SSL handshake errors persist.

Additional Information

Powered by Wolken Software