Nick Foote Nick Foote - 3 months ago 36
Apache Configuration Question

Java Spring WS client - tomcat or apache interfering?

Recently a supplier upgraded their XML SOAP Webservice, dropping support for TLSv1 which caused our calls to them to stop working.

I have slightly upgraded our legacy Java Spring app to try and re-enable the function. I have the following code;

public boolean searchViaWS(....) throws Exception {

SaajSoapMessageFactory messageFactory = new SaajSoapMessageFactory(MessageFactory.newInstance());

messageFactory.setSoapVersion(SoapVersion.SOAP_11);
XmlBeansMarshaller marshaller = new XmlBeansMarshaller();

// THESE TWO LINES ARE NEW TO SUPPORT TLSv1.1
HttpsUrlConnectionMessageSender sender = new HttpsUrlConnectionMessageSender(); // NEW
sender.setSslProtocol("TLSv1.1"); // NEW

NSCHWebServiceClient webServiceClient = new NSCHWebServiceClient(messageFactory);
webServiceClient.setMessageSender(sender); // NEW ALSO
webServiceClient.setMarshaller(marshaller);
webServiceClient.setUnmarshaller(marshaller);


return webServiceClient.searchViaWS(....);
}


All webServiceClient does is build the Objects based on the wsdl and call WebServiceTemplate.marshalSendAndReceive.

Now, I can exercise this code via a unit test in eclipse.


  • Without the NEW lines above the test fails with ssl handshake exceptions, saying the remote host closed the connection, assumedly because they no longer allow TLSv1.

  • With the NEW lines above the test passes, getting a successful response from the remote server. Thus I take it that setting the protocal to TLSv1.1 is all that was needed.



In Eclipse the classpath says it is using JavaSE-1.6 (provided by jdk1.7.0_21)

However when I upload the code to my server, which runs Apache using ajp to redirect to Tomcat 6.0.29 on a CentOS box running Java 1.6.0_0, and exercise the same code, the ssl handshake exceptions continue.

The project and its server is very legacy and I do not fully understand transport protocols at the best of times. Am I right in suspecting that Tomcat and/or Apache on the server are ignoring the Java code's request to use TLSv1.1 and thus still using TLSv1 and causing the handshake errors with the remote server?

Answer

Finally found the solution to this. As I suspected, Tomcat was causing issues. I upgraded to Java 7 on the server and then added the following into catalina.sh in the tomcat bin directory;

JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.1,TLSv1.2"