Users with desktop JRE 1.7u67 or 1.7u151 were unable to launch forms on SSL/TLS 1.2 enabled Oracle E-Business Suite environments. However, those with JRE 1.8 were able to open forms.
Errors seen in java console log
“javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
java.lang.ClassNotFoundException: oracle.apps.fnd.formsClient.FormsLauncher.class”
On enabling trace by setting -Djavax.net.debug=all in “Runtime Parameters” on client java, we noticed complete error
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1612175724 bytes = { 2, 65, 0, 128, 113, 176, 167, 128, 150, 48, 37, 230, 108, 40, 140, 106, 214, 182, 125, 52, 205, 47, 182, 133, 208, 250, 106, 205 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [host_name: .]
…………….
thread applet-oracle/apps/fnd/formsClient/FormsLauncher.class-1, READ: TLSv1.2 Alert, length = 2
thread applet-oracle/apps/fnd/formsClient/FormsLauncher.class-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
thread applet-oracle/apps/fnd/formsClient/FormsLauncher.class-1, called closeSocket()
thread applet-oracle/apps/fnd/formsClient/FormsLauncher.class-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
………….
Server is not accepting the Client Hello. However for a similarly configured EBS environment, we see below phases- ClientHello, TLSv1.2 -> ServerHello, TLSv1.2 -> handshake
Based on this, we could conclude it could be a cipher issue on the LB side
We performed the below elimination testing and tried to access forms individually on both working and non-working env by hitting i.h.s, HA Proxy and EBS apps directly. In case of non-working env, the testing failed when hitting the URL(outer LB), while the same worked for working env.
LB ————> i.h.s —————> HA Proxy LB ————> EBS App
Finally we verified with our network team who manages the IHS component and found one difference –
SSLCipherSpec TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
The above line exists in non-working env but not in working env. After removing this line from httpd.conf and boucning IHS, the issue was resolved.
Finally we verified with our network team who manages the IHS component and found one difference –
SSLCipherSpec TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
The above line exists in non-working env but not in working env. After removing this line from httpd.conf and boucning IHS, the issue was resolved.
Tech Talks with Indraneil 