Troubleshooting
Problem
Connection works with this level of JDK : java version "1.6.0_25" Java(TM) SE Runtime Environment (build 1.6.0_25-b06) Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing) Connect fails with this level of JDK: java version "1.6.0_29" Java(TM) SE Runtime Environment (build 1.6.0_29-b11) Java HotSpot(TM) Client VM (build 20.4-b02, mixed mode, sharing) CDJAI code the same and attaching to the same Connect:Direct server.
Symptom
Can no longer submit processes to the Connect:Direct node with the CDJAI client after upgrading the client JDK.
Cause
From Oracle JDK support.
counter measure to a SSL/TLS vulnerability (known as BEAST attack, see http://www.kb.cert.org/vuls/id/864643 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389), which was included in the JVM 6u29 or newer. The counter measure splits packets and is consistent with the behavior you are seeing.
For testing purposes you can disable this counter measure, by using setting to false the java.lang.System property jsse.enableCBCProtection. You can use the command line java -Djsse.enableCBCProtection=false ...., or from the application with java.lang.System.setProperty("enableCBCProtection", "false");
If your application works with this property disabled, you have a few options for a permanent solution:
- upgrade both sides to TLS 1.1/1.2
- make the application tolerant to packet splitting,
- Switch to a stream based cypher, such as RC4
Environment
Windows
Diagnosing The Problem
Java trace on the client shows the buffer having additional information inserted in it.
Resolving The Problem
In the JDK application for CDJAI disable this counter measure, by using setting to false the java.lang.System property jsse.enableCBCProtection. You can use the command line java -Djsse.enableCBCProtection=false ...., or from the application with java.lang.System.setProperty("enableCBCProtection", "false");
Or use a RC4 cipher and not a AES cipher.
Was this topic helpful?
Document Information
Modified date:
24 July 2020
UID
swg21598709