-
タイトル
The server selected protocol version TLS10 is not accepted by client preferences [TLS12] -
説明
After upgrading the Foglight Agent Manager (and FMS) to 6.1.0 or higher, connections to hosts to fail with TLS and SSL errors.
For SQL Server agents as an example, error messages like the following appear
ERROR [ConnectionManagementThread-[MSSQLPool-AGENTNAME]-[][MSSQLProfile{host='AGENTNAME', instance= 'DEFAULT_INSTANCE', username='.', authType= 'WINDOWS_DEFAULT', port= '0' useNTLMv2= 'true', socketTimeout= '900', database= 'master', secureConnection= 'OFF', packetSize= '0', ApplicationIntent= 'NONE', enforceSSLVersion= 'NONE', lockTimeout= '10000', codePageOverride = '', selectMethod='' }]] com.quest.qsi.fason.framework.connections.jdbc.JDBCConnectionImpl - Failed to create new connection. [MSSQLProfile{host='AGENTNAME', instance= 'DEFAULT_INSTANCE', username='.', authType= 'WINDOWS_DEFAULT', port= '0' useNTLMv2= 'true', socketTimeout= '900', database= 'master', secureConnection= 'OFF', packetSize= '0', ApplicationIntent= 'NONE', enforceSSLVersion= 'NONE', lockTimeout= '10000', codePageOverride = '', selectMethod='' }]
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "The server selected protocol version TLS10 is not accepted by client preferences [TLS12]". ClientConnectionId:65bdbe0a-ad9e-4dcb-b67b-07403a1ec21f
Caused by: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]Numerous Usability Connection Availability or Usability OS Connection Availability alarms may also be fired indicating that the connections have failed.
-
原因
OpenJDK disabled the TLS 1.0 and 1.1 availability by default in the java.security file. Java applications such as Foglight using TLS to communicate need to use TLS 1.2 or above to establish a connection. -
対策
WORKAROUND
Edit the value in the java.security file directly.
- Navigate to the the java.security file location on the Foglight Agent Manager (FglAM)
- On an external Fglam this would be {fglam}\jre\{version}\jre\lib\security\ (JRE 8) or {fglam}\jre\{version}\jre\conf\security\ (JRE 17)
- Using an embedded FglAM this would be {fms}\jre\lib\security\ (JRE 8) or {fms}\jre\conf\security\ (JRE 17)
- Open the file java.security in a text editor
- Search for the property jdk.tls.disabledAlgorithms
- For OpenJDK 8, the contents would be similar to
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL \
include jdk.disabled.namedCurves - Remove the TLSv1.1 and/or TLSv1 entries, this will re-establish those version back to the list of usable versions within the JDK
- Save the file
- Restart the Foglight Agent Manager
RESOLUTION (Recommended Solution)
Update the TLS versions on the monitored hosts to TLSv1.2 or higher. - Navigate to the the java.security file location on the Foglight Agent Manager (FglAM)
-
追加情報
As per OpenJDK developers (outside of Quest) the workaround is not advisable in Production environments since using disabled algorithms degrades the secure communication between the FglAM and the host servers provided the newer algorithms.