SSL Problem After Upgrading to Java 7

After you upgraded NEXUSe2e to a newer Version which requires Java 7 and encounter the following error message while receiving messages from partners who still use Java 5 you may want to follow the instructions described below.

Message submission failed: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Root Cause

As the Java doc for the JSSE provider shows, some SSL ciphers have been deprecated in Java 7 due to security vulnerabilities. This led to a slight change in default-enabled protocols and ciphers, which can result in this issue.

Solution

Security Hint:

Be advised that enabling deprecated SSL protocols will set you at risk.

Inbound Messages

To alleviate the issue, modify the tomcat connector for NEXUSe2e and add sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" to it. This manually enables SSLv2hello pseudo-protocol, which will result in messages being received again.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
    clientAuth="false" sslProtocol="TLS" />

Outbound Messages

  • Stop NEXUSe2e.
  • Check your Windows Services panel for the name of the NEXUSe2e service. *
  • In your Tomcat directory, go to subdirectory bin. There, you should find a file called <SERVICE_NAME>w.exe. For example, if the service name is NEXUSe2e, the file name is NEXUSe2ew.exe.
  • Open that .exe file (Admin rights required).
  • In the tab "Java", add -Dhttps.protocols=TLSv1,SSLv3,SSLv2Hello to the "Java Options" text box. Note that there may be no spaces in between.
  • Start NEXUSe2e and test the connection again.

* If you are not familiar with administrating a Windows Tomcat Service, find some help here.