+ Start a Discussion
deepak_naikdeepak_naik 

Received fatal alert: handshake_failure connecting to tls1test.salesforce.com

Reagrding the topic "Salesforce disabling TLS 1.0" as mentioned in the link "https://help.salesforce.com/apex/HTViewSolution?id=000221207&language=en_US"
Which is the forum where I can post questions pertiaining to the above link

I am testing the API compatability Tests "How do I test the compatibility of an API (inbound) integration to Salesforce?"
When I run the test I see the following "Handshake Error " error

main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
AxisFault
 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
 faultSubcode:
 faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
 faultActor:
 faultNode:
 faultDetail:
        {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at com.ibm.jsse2.j.a(j.java:4)
        at com.ibm.jsse2.j.a(j.java:31)
        at com.ibm.jsse2.qc.b(qc.java:624)

        
Is that my applicaton no compatabile, but I see that we are using TLSv1 which is supposed to eb supported

Regds,
Deepak

 
Best Answer chosen by James Loghry
pconpcon
TLSv1.1+ is supported.  The error that you are getting appears to be because you are using TLSv1.0 against that URL.  If you run the following cURL commands, you can see how it fails with v1.0 and succeeds with v1.1
 
curl -v --tlsv1.0 https://tls1test.salesforce.com
* Rebuilt URL to: https://tls1test.salesforce.com/
* Hostname was NOT found in DNS cache
*   Trying 136.146.30.119...
* Connected to tls1test.salesforce.com (136.146.30.119) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
 
curl -v --tlsv1.1 https://tls1test.salesforce.com
* Rebuilt URL to: https://tls1test.salesforce.com/
* Hostname was NOT found in DNS cache
*   Trying 136.146.30.119...
* Connected to tls1test.salesforce.com (136.146.30.119) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=tls1test.salesforce.com,OU=R&D,O="Salesforce.com, Inc",L=San Francisco,ST=California,C=US
*       start date: May 27 00:00:00 2015 GMT
*       expire date: May 26 23:59:59 2016 GMT
*       common name: tls1test.salesforce.com
*       issuer: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: tls1test.salesforce.com
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 06 Mar 2016 19:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private,s-maxage=0
< Pragma: no-cache
< Set-Cookie: BrowserId=9sSdvMVpTUqhK_fL51i7jA;Path=/;Domain=.salesforce.com;Expires=Thu, 05-May-2016 19:00:00 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: https://tls1test.salesforce.com/s/
< Transfer-Encoding: chunked
< 
* Connection #0 to host tls1test.salesforce.com left intact

All Answers

pconpcon
TLSv1.1+ is supported.  The error that you are getting appears to be because you are using TLSv1.0 against that URL.  If you run the following cURL commands, you can see how it fails with v1.0 and succeeds with v1.1
 
curl -v --tlsv1.0 https://tls1test.salesforce.com
* Rebuilt URL to: https://tls1test.salesforce.com/
* Hostname was NOT found in DNS cache
*   Trying 136.146.30.119...
* Connected to tls1test.salesforce.com (136.146.30.119) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
 
curl -v --tlsv1.1 https://tls1test.salesforce.com
* Rebuilt URL to: https://tls1test.salesforce.com/
* Hostname was NOT found in DNS cache
*   Trying 136.146.30.119...
* Connected to tls1test.salesforce.com (136.146.30.119) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=tls1test.salesforce.com,OU=R&D,O="Salesforce.com, Inc",L=San Francisco,ST=California,C=US
*       start date: May 27 00:00:00 2015 GMT
*       expire date: May 26 23:59:59 2016 GMT
*       common name: tls1test.salesforce.com
*       issuer: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: tls1test.salesforce.com
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 06 Mar 2016 19:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private,s-maxage=0
< Pragma: no-cache
< Set-Cookie: BrowserId=9sSdvMVpTUqhK_fL51i7jA;Path=/;Domain=.salesforce.com;Expires=Thu, 05-May-2016 19:00:00 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: https://tls1test.salesforce.com/s/
< Transfer-Encoding: chunked
< 
* Connection #0 to host tls1test.salesforce.com left intact
This was selected as the best answer
deepak_naikdeepak_naik
Thanks Pcon for the reply.
But in my environment , even the curl test with TLS 1.1 fails

[dsadm@manyatak209 ConnectionTest115]$ curl -v -tlsv1.1 https://tls1test.salesforce.com
* About to connect() to tls1test.salesforce.com port 443 (#0)
*   Trying 136.146.46.118... connected
* Connected to tls1test.salesforce.com (136.146.46.118) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286
* Error in TLS handshake, trying SSLv3...
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: tls1test.salesforce.com
> Accept: */*
>
* Connection died, retrying a fresh connect
* Closing connection #0
* Issue another request to this URL: 'https://tls1test.salesforce.com'
* About to connect() to tls1test.salesforce.com port 443 (#0)
*   Trying 136.146.46.118... connected
* Connected to tls1test.salesforce.com (136.146.46.118) port 443 (#0)
* TLS disabled due to previous handshake failure
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error




I am using IBM Java as follows, is this related
[dsadm@manyatak209 ConnectionTest115]$ java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pxa6470_27sr1-20140411_01(SR1))
IBM J9 VM (build 2.7, JRE 1.7.0 Linux amd64-64 Compressed References 20140410_195893 (JIT enabled, AOT enabled)
J9VM - R27_Java727_SR1_20140410_1931_B195893
JIT  - tr.r13.java_20140410_61421
GC   - R27_Java727_SR1_20140410_1931_B195893_CMPRSS
J9CL - 20140410_195893)
JCL - 20140409_01 based on Oracle 7u55-b13


 
pconpcon
Can you try again with an update version of the cURL.  7.19.7 is a farily outdated version and the -tlsv1.1 flag wasn't added until 7.34.0
deepak_naikdeepak_naik
Hi

Apologies for the delayed reply. I could not upgrade the curl version on that system as it was a shared system. But I tried the test in a different system (my original test) and I get the error as
"(411)Length Required" as mentioned below


[dsadm@hydqatemp2 ConnectionTest91]$ qZ
bash: qZ: command not found
[dsadm@hydqatemp2 ConnectionTest91]$ ./SFConnectionTest
on
CLASSPATH=/opt/IBM/InformationServer/ASBNode/lib/java/salesforce/salesforce15.jar:/opt/IBM/InformationServer/ASBNode/lib/java/ccapi.jar:/opt/IBM/InformationServer/ASBNode/eclipse/plugins/com.ibm.isf.client/com.ibm.ws.security.crypto.jar:/opt/IBM/InformationServer/ASBNode/eclipse/plugins/com.ibm.isf.client/com.ibm.ws.ejb.thinclient_7.0.0.jar:./salesforceUnitTest.jar
*************************************************
Connect to salesforce using the following data:
URL: https://tls1test.salesforce.com/services/Soap/u/32.0
User Name: deepnaik@ibm.com
AxisFault
 faultCode: {http://xml.apache.org/axis/}HTTP
 faultSubcode:
 faultString: (411)Length Required
 faultActor:
 faultNode:
 faultDetail:
        {}:return code:  411
&lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.01 Transitional//EN&quot; &quot;http://www.w3.org/TR/html4/loose.dtd&quot;&gt;
&lt;html xmlns=&quot;http://www.w3.org/1999/xhtml&quot;&gt;



Now this test is as per the link "https://help.salesforce.com/apex/HTViewSolution?id=000221207&language=en_US", where I have done "compatibility of an API (inbound) integration to Salesforce?" test by connecting to  "https://tls1test.salesforce.com/services/Soap/u/32.0"

As we are not getting the hanhshake-error as before, does this mean that our application is compatibale with either TLS 1.1 or TLS 1.2

Regds,
Deepak
pconpcon
Yes, that should mean you are compatible.  The tls1test endpoint does not function the same as other endpoints.  So as long as you get past the handshake errors you should be good.
deepak_naikdeepak_naik

Hi

Thanks a lot for your confirmation

Regds,

Deepak

pconpcon
Great! If you could please choose a "best answer" so that this question can be removed from the unresolved queue and so others may easily find the answer.
deepak_naikdeepak_naik
Thanks, now we can confirm that our application is compatible with the TLS 1.0 disabling change
Sombir SinghSombir Singh
CURL Version is 7.19.7 for more details see the attachement.

User-added image


My Current Code to test : 'https://tls1test.salesforce.com/services/oauth2/token';

$this->salesForceUrl = 'https://tls1test.salesforce.com/services/oauth2/token';
$post_params = 'grant_type=password&client_id=' . $this->salesForceClientKey . '&client_secret=' . $this->salesForceClientSecret . '&username=' . $this->salesForceUsername . '&password=' .$this->salesForcePassword . $this->salesForceSecurityToken;
//Call sales force login method
$ch = curl_init($this->salesForceUrl);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_params);
$res = curl_exec($ch);
print_r($res);
$jd = json_decode($res);
echo 'curl_errno is : '.curl_errno($curl);            
print_r($jd);
print_r(curl_getinfo($ch));
curl_close($ch);

if(isset($jd)){ //Check the response
    echo "\n" .  date("D M d h:i:s Y") . ":  logged in to: " . $this->salesForceUrl;
    return true;
}else{
    echo "\n" .  date("D M d h:i:s Y") . ":  Error trying login to: " . $this->salesForceUrl;
    return false;
}


OUTPUT is : SSL Connect error : 35 & http_code i am getting 0(zero).

User-added image



After that i have added one line in the curl code :  curl_setopt($curl, CURLOPT_SSLVERSION, 6);

$this->salesForceUrl = 'https://tls1test.salesforce.com/services/oauth2/token';
$post_params = 'grant_type=password&client_id=' . $this->salesForceClientKey . '&client_secret=' . $this->salesForceClientSecret . '&username=' . $this->salesForceUsername . '&password=' .$this->salesForcePassword . $this->salesForceSecurityToken;
//Call sales force login method
$ch = curl_init($this->salesForceUrl);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSLVERSION, 6);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_params);
$res = curl_exec($ch);
print_r($res);
$jd = json_decode($res);
echo 'curl_errno is : '.curl_errno($curl);            
print_r($jd);
print_r(curl_getinfo($ch));
curl_close($ch);

if(isset($jd)){ //Check the response
    echo "\n" .  date("D M d h:i:s Y") . ":  logged in to: " . $this->salesForceUrl;
    return true;
}else{
    echo "\n" .  date("D M d h:i:s Y") . ":  Error trying login to: " . $this->salesForceUrl;
    return false;
}


User-added image

As per the link if i am getting 400 Bad Request , it means my TLS connection is passed.
But as per my finding for TLS 1.2, i need to upgarde curl version atleast 7.34.0.

In the above test code i am getting 400 Bad request without upgrading curl version, Please let me know do i still need to upgrade curl version or it is not required, when Salesforce deactivates TLS 1.0 

 
pconpcon
If you get a 400 against the TLS test endpoint, then that means your cURL settings are correct.  It should continue to work after the deactivation.  You can test this by creating a new developer instance and ensuring that the TLS patch is applied and running your code against an actual endpoint instead of just the test endpoint.