IBM Support

PM68915: SSL connection failure after upgrading to 7.0.0.23, 8.0.0.3 and 8.5.0.0 due to Elliptical Curve Cryptography (ECC) suites.

Fixes are available

7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.5.0.1: WebSphere Application Server V8.5 Fix Pack 1
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • SSL connection failure may happen after upgrading to 7.0.0.23,
    8.0.0.3 and 8.5.0.0 between WebSphere and any peer program.
    This is caused by WebSphere including ECC ciphers in default
    cipher suites and using it for SSL handshake. This APAR
    removes the ECC ciphers from WebSphere's default ciphers.
    
    For example, if WebSphere Application Server is configured to
    use LDAP via SSL and the LDAP does not support ECC
    certificates, dmgr and  appserver would fail to start with the
    following error. LDAP authentication error :
    [21/06/12 17:19:32:197 BST] 00000014 exception     E
    com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
    
    com.ibm.websphere.wim.exception.
    WIMSystemException: CWWIM4520E  The 'javax.naming.
    CommunicationException: simple bind failed:
    oiduat.company.com:4030
    [Root exception is javax.net.ssl.SSLException: Received fatal
    alert: illegal_parameter]' naming exception occurred during
    processing.
    
    Other errors related to this APAR include:
    [8/21/12 12:41:15:979 EDT] 00000022 SystemOut     O
    WebContainer : 1,  fatal error: 80: problem unwrapping net
    record javax.net.ssl.SSLHandshakeException: No supported
    signature algorithms in common
    
    [8/21/12 12:40:17:308 EDT] 00000021 SystemOut     O Extension
    elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
    
    Also in JSSE or WebSphere trace, ECC ciphers (ciphers starting
    "SSL_ECDH" or "TLS_ECDH") are printed.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: SSL connection fails due to             *
    *                      Elliptical Curve Cryptography           *
    *                      (ECC) ciphers are set on socket.        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    If WebSphere Application Server runs on one of following IBM
    SDK 6.0 SR10, 6.26 SR1 or 7.0 SR1, which is available with
    WebSphere 7.0.0.23, 8.0.0.3 and 8.5.0.0 as SDK update,
    the Application Server includes ECC ciphers in its cipher
    suites and sets on its sockets. If peer programs that
    communicate with WebSphere do not support ECC ciphers,  this
    causes SSL connection failure.
    

Problem conclusion

  • Code has been updated to remove the ECC ciphers from default
    cipher suite.  ECC ciphers are available and still set on
    socket if
    - New FIPS standards (SP800-131a strict or Suite B) is enabled
    or
    - the following custom property is set at security top level
    com.ibm.websphere.ssl.include.ECCiphers to true
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.25, 8.0.0.5 and 8.5.0.1.  Please refer to the
    Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM68915

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-07-16

  • Closed date

    2012-08-14

  • Last modified date

    2013-03-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PM70522

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PM68915

Modified date: 20 March 2013