SharePoint Agent handshake error connecting to SharePoint Server using TLS1.2

Document ID : KB000112384
Last Modified Date : 03/09/2018
Show Technical Document Details
Issue:
SharePoint Agent R12.52SP1CR8
SharePoint Server is newly configured with HTTPS and SharePoint Agent fails to connect to SharePoint Server.

When AccessGateway tries to do a SSL connection with the back end SharePoint application server, we see the error in the nohup logs as below:

handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
http-bio-2001-exec-1, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
http-bio-2001-exec-1, WRITE: TLSv1.2 Alert, length = 2

In another environment SharePoint Agent has no problem establishing secure connection to SharePoint Server.
Cause:
When a secure connection is being established, the Client(In this case, SharePoint Agent) will send a set of supported Cipher Suite list to the Server(In this case, SharePoint Server - IIS).
This would appear in "Client Hello" in the wireshark.

When TLS 1.2 is used, the Server would not return "Server Hello" with its supported set of Cipher Suite.
Instead, it would return Handshake Failure Alert only.

https://tools.ietf.org/html/rfc5246#section-7.4.1.3

This means there were no overlapping Ciphers between the Client and the Server.
 
Resolution:
In this type of scenario you will need to use openssl and see if the secure connection can be established using the following command:
openssl s_client -connect <SharePointServer:Port> -tls1_2

It would show if the secure connection handshake is successful or not.
If successful, you should be able to find the Cipher that was used for the handshake.

Following is the output from the openssl command above:
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 4382 bytes and written 558 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384


This ECDHE-RSA-AES256-SHA384 was not found in the server.conf file (it is included in the Access Gateway R12.7 and above).

But to add this Cipher to server.conf file (look for keyword "ciphers" in the server.log) you need to ensure it is in correct format that is recognized by the SharePoint Agent.

https://www.openssl.org/docs/man1.1.0/apps/ciphers.html

Above link has the official name of the ciphers.
Ciphers

The official name for the cipher ECDHE-RSA-AES256-SHA384 was TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 but it was not recognized by SharePoint Agent.
It was required to remove the leading "TLS_" from the cipher name.
And to allow this cipher you need to add a "+" in front of the cipher name.

Ciphers in server.conf
In case if your SharePoint Agent or Access Gateway is running in FIPS mode, you will need to add the cipher is the respective section above.
Above sample is for NON-FIPS mode.
And SharePoint Agent restart is required to load this configuration change.

This method should apply to all versions of SharePoint Agent or Access Gateway. (Also depending on the Java Version as older version of Java may not support the TLS1.2 and its ciphers. refer to oracle site for more details)
The format of the Cipher name would only apply to SharePoint Agent R12.52SP1 CRxx or Access Gateway (aka SPS) R12.52SP1 CRxx.

Following are the list of supported ciphers as of Access Gateway 12.6 onwards out of the box and you may need to add or remove the ciphers based on your needs.
DHE_DSS_With_AES_128_GCM_SHA256
DHE_DSS_With_AES_128_GCM_SHA256
DHE_DSS_With_AES_256_GCM_SHA384
DHE_DSS_With_AES_256_GCM_SHA384
DHE_RSA_With_AES_128_GCM_SHA256
DHE_RSA_With_AES_128_GCM_SHA256
DHE_RSA_With_AES_256_GCM_SHA384
DHE_RSA_With_AES_256_GCM_SHA384
ECDHE_ECDSA_With_AES_128_GCM_SHA256
ECDHE_ECDSA_With_AES_128_GCM_SHA256
ECDHE_ECDSA_With_AES_256_GCM_SHA384
ECDHE_ECDSA_With_AES_256_GCM_SHA384
ECDHE_RSA_With_AES_128_GCM_SHA256
ECDHE_RSA_With_AES_128_GCM_SHA256
ECDHE_RSA_With_AES_256_GCM_SHA384
ECDHE_RSA_With_AES_256_GCM_SHA384
RSA_With_AES_128_CBC_SHA
RSA_With_AES_128_CBC_SHA
RSA_With_AES_128_CBC_SHA256
RSA_With_AES_128_CBC_SHA256
RSA_With_AES_128_GCM_SHA256
RSA_With_AES_128_GCM_SHA256
RSA_With_AES_256_CBC_SHA
RSA_With_AES_256_CBC_SHA
RSA_With_AES_256_CBC_SHA256
RSA_With_AES_256_CBC_SHA256
RSA_With_AES_256_GCM_SHA384
RSA_With_AES_256_GCM_SHA384
 
Additional Information:
https://tools.ietf.org/html/rfc5246#section-7.4.1.3
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https
https://comm.support.ca.com/kb/howto-enabled-debugging-of-ssl-connections-from-the-proxyengine-to-the-backend-server-in-ca-access-gateway-formerly-ca-secure-proxy-server/kb000042115