Nick Foote Nick Foote - 2 months ago 22
Apache Configuration Question

Java Spring WS client - tomcat or apache interfering?

Recently a supplier upgraded their XML SOAP Webservice, dropping support for TLSv1 which caused our calls to them to stop working.

I have slightly upgraded our legacy Java Spring app to try and re-enable the function. I have the following code;

public boolean searchViaWS(....) throws Exception {

SaajSoapMessageFactory messageFactory = new SaajSoapMessageFactory(MessageFactory.newInstance());

XmlBeansMarshaller marshaller = new XmlBeansMarshaller();

HttpsUrlConnectionMessageSender sender = new HttpsUrlConnectionMessageSender(); // NEW
sender.setSslProtocol("TLSv1.1"); // NEW

NSCHWebServiceClient webServiceClient = new NSCHWebServiceClient(messageFactory);
webServiceClient.setMessageSender(sender); // NEW ALSO

return webServiceClient.searchViaWS(....);

All webServiceClient does is build the Objects based on the wsdl and call WebServiceTemplate.marshalSendAndReceive.

Now, I can exercise this code via a unit test in eclipse.

  • Without the NEW lines above the test fails with ssl handshake exceptions, saying the remote host closed the connection, assumedly because they no longer allow TLSv1.

  • With the NEW lines above the test passes, getting a successful response from the remote server. Thus I take it that setting the protocal to TLSv1.1 is all that was needed.

In Eclipse the classpath says it is using JavaSE-1.6 (provided by jdk1.7.0_21)

However when I upload the code to my server, which runs Apache using ajp to redirect to Tomcat 6.0.29 on a CentOS box running Java 1.6.0_0, and exercise the same code, the ssl handshake exceptions continue.

The project and its server is very legacy and I do not fully understand transport protocols at the best of times. Am I right in suspecting that Tomcat and/or Apache on the server are ignoring the Java code's request to use TLSv1.1 and thus still using TLSv1 and causing the handshake errors with the remote server?


Finally found the solution to this. As I suspected, Tomcat was causing issues. I upgraded to Java 7 on the server and then added the following into in the tomcat bin directory;

JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.1,TLSv1.2"