Traveler server not connecting to Microsoft SQL Server using only TLS 1.2
Daniel Nashed 9 April 2019 07:32:46
There is a new issue that Detlev Pöttgen has already reported in detail about on his blog including the work-around
--> https://www.netzgoetter.net/internet/blogs/netzgoetter.nsf/dx/traveler-ha-running-on-ms-sql-server-issue-with-tls-1.2.htm
Current MS SQL Servers do only support TLS 1.2 and the JDBC Driver used on the Traveler Server does not open a TLS 1.2 session by default.
This impacts Traveler configuration with the travelerutil and also operating your server -- if the SQL server is updated to a version that supports TLS 1.2 only!
(Original IBM technote for reference --> https://www.ibm.com/support/docview.wss?uid=ibm10871764 ).
Detlev's post contains the details for the work-around and change the default to allow TLS 1.2.
The error message shown is:
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption
-- Some more technical details --
I was very surprised when looking into it. The underlying issue is a IBM JVM issue in combination with the way the application uses the TLS connection.
I recall from previous tests (when we got TLS 1.0 and 1.2 for Domino 9.0.1 Fixpacks) that the IBM JVM was using TLS 1.2 already.
So it isn't a general issue but an issue with the wrong default settings in combination with the way the application is written.
In this case what is probably happening is that the current Microsoft SQL JDBC driver is using the "TLS" constant which by default only uses TLS 1.0 on the IBM JVM!!
The Oracle JVM by default uses TLS 1.0/1.1/1.2 when specifying "TLS" but the IBM JVM just uses TLS 1.0 in contrast.
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html
So this isn't directly a Traveler issue nor can be fixed by Traveler (unless there is a way to tell the JDBC driver explicitly to use TLS 1.2 -- I did not find any setting yet).
The following table still seems to apply. I haven't tested in detail.
But it's not clear how they will address this issue, because it's more a JDBC driver IBM JDK issue.
IMHO the IBM JVM should be fixed to use TLS 1.2 per default because this might cause also issues in other applications implemented in the same way.
-- Daniel
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_7.1.0/com.ibm.java.security.component.71.doc/security-component/jsse2Docs/disablesslv3.html
| Protocol label | Protocol enabled before the fix | Protocol enabled after the fix |
| SSL | SSL V3.0 |
|
| SSLv3 | SSL V3.0 | None, the connection fails. |
| TLS | TLS V1.0 (defined in RFC2246) | TLS V1.0 (defined in RFC2246) |
| TLSv1 | TLS V1.0 (defined in RFC2246) | TLS V1.0 (defined in RFC2246) |
| TLSv1.1 | TLS V1.1 (defined in RFC4346) | TLS V1.1 (defined in RFC4346) |
| TLSv1.2 | TLS V1.2 (defined in RFC5246) | TLS V1.2 (defined in RFC5246) |
| SSL_TLS | Enables all SSL V3.0 and TLS V1.0 protocols | TLS V1.0 |
| SSL_TLSv2 | Enables all SSL V3.0 and TLS V1.0, V1.1, and V1.2 protocols | Enables all TLS V1.0, V1.1, and V1.2 protocols |
- Comments [2]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}