Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Traveler server not connecting to Microsoft SQL Server using only TLS 1.2

Daniel Nashed  9 April 2019 09:32:46


There is a new issue that Detlev Pöttgen has already reported in detail about on his blog including the work-around
--> https://www.netzgoetter.net/internet/blogs/netzgoetter.nsf/dx/traveler-ha-running-on-ms-sql-server-issue-with-tls-1.2.htm

Current MS SQL Servers do only support TLS 1.2 and the JDBC Driver used on the Traveler Server does not open a TLS 1.2 session by default.

This impacts Traveler configuration with the travelerutil and also operating your server -- if the SQL server is updated to a version that supports TLS 1.2 only!

(Original IBM technote for reference --> https://www.ibm.com/support/docview.wss?uid=ibm10871764 ).

Detlev's post contains the details for the work-around and change the default to allow TLS 1.2.

The error message shown is:


com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption


-- Some more technical details --

I was very surprised when looking into it. The underlying issue is a IBM JVM issue in combination with the way the application uses the TLS connection.
I recall from previous tests (when we got TLS 1.0 and 1.2 for Domino 9.0.1 Fixpacks) that the IBM JVM was using TLS 1.2 already.
So it isn't a general issue but an issue with the wrong default settings in combination with the way the application is written.

In this case what is probably happening is that the current Microsoft SQL JDBC driver is using the "TLS" constant which by default only uses TLS 1.0 on the IBM JVM!!

The Oracle JVM by default uses TLS 1.0/1.1/1.2 when specifying "TLS" but the IBM JVM just uses TLS 1.0 in contrast.

https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html

So this isn't directly a Traveler issue nor can be fixed by Traveler (unless there is a way to tell the JDBC driver explicitly to use TLS 1.2 -- I did not find any setting yet).

The following table still seems to apply. I haven't tested in detail.
But it's not clear how they will address this issue, because it's more a JDBC driver IBM JDK issue.

IMHO the IBM JVM should be fixed to use TLS 1.2 per default because this might cause also issues in other applications implemented in the same way.

-- Daniel



https://www.ibm.com/support/knowledgecenter/en/SSYKE2_7.1.0/com.ibm.java.security.component.71.doc/security-component/jsse2Docs/disablesslv3.html
Protocol label
Protocol enabled before the fix
Protocol enabled after the fix
SSL SSL V3.0
  • Server: TLS V1.0, TLS V1.1 and TLS V1.2 protocols.
  • Client: TLS V1.0 protocol
SSLv3 SSL V3.0 None, the connection fails.
TLS TLS V1.0 (defined in RFC2246) TLS V1.0 (defined in RFC2246)
TLSv1 TLS V1.0 (defined in RFC2246) TLS V1.0 (defined in RFC2246)
TLSv1.1 TLS V1.1 (defined in RFC4346) TLS V1.1 (defined in RFC4346)
TLSv1.2 TLS V1.2 (defined in RFC5246) TLS V1.2 (defined in RFC5246)
SSL_TLS Enables all SSL V3.0 and TLS V1.0 protocols TLS V1.0
SSL_TLSv2 Enables all SSL V3.0 and TLS V1.0, V1.1, and V1.2 protocols Enables all TLS V1.0, V1.1, and V1.2 protocols



Comments

1Geir Lund Engenes  09.04.2019 10:18:26  Traveler server not connecting to Microsoft SQL Server using only TLS 1.2

Could it be you need a jvmoptions file with https.protocols=TLSv1.2 ?

2Daniel Nashed  09.04.2019 12:58:46  Traveler server not connecting to Microsoft SQL Server using only TLS 1.2

The workaround is in Detlev's post with all the details including the change you need for the travelerutil ..

-- Daniel

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]