1315 views

Description

ServiceNow is continually updating the Java release versions used by our service to manage risk due to known exploits and vulnerabilities. Recently, Oracle began to deactivate functionality related to encryption ciphers and protocols with known exploits. As we roll out these updates in our environment, instances leveraging these combinations may be impacted. When an instance is impacted, you will experience SSL Handshake Exception errors as the protocol negotiation fails, resulting in connection timeouts and failures.

For more information, see the documentation available on the Oracle Java documentation site (for example, Diagnosing TLS, SSL, and HTTPS).

Steps to Reproduce

 

When an instance is impacted by this issue, the following error appears in the integration logs:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

This issue occurs when the remote endpoint to which your ServiceNow instance is attempting to connect has one of the following:

  • The secure channel negotiation attempts SSLv3 and fails when it is not accepted by the instance configuration
  • TLSv1.0 may be accepted, but an RC4, MD2, or other unsupported cipher is rejected by the instance configuration

For example, one configuration that failed to work with the new Java security patch returned the results below. Note that the last line shows that only the RC4-SHA cipher is supported for the TLSv1 protocol. The sslscan tool used below can be found on GitHub at https://github.com/tetlowgm/sslscan. Similar utilities for Windows systems can also be found on GitHub.

$ ./sslscan my.ssl.url
Testing host: my.ssl.url:https 
Server cipher order: 
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 
Accepted TLSv1.2 256 bits ADH-AES256-GCM-SHA384 
Accepted TLSv1.2 256 bits AES256-GCM-SHA384 
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 
Accepted TLSv1.2 128 bits ADH-AES128-GCM-SHA256 
Accepted TLSv1.2 128 bits AES128-GCM-SHA256 
Accepted TLSv1.2 128 bits RC4-SHA 
Accepted TLSv1.1 128 bits RC4-SHA 
Accepted TLSv1 128 bits RC4-SHA

Workaround

Update any secured endpoints that are accessed by your ServiceNow instance with encryption configurations that meet current industry best practices. 


Related Problem: PRB655488

Seen In

Eureka Patch 11 Hot Fix 2
Eureka Patch 12
Fuji Patch 10
Fuji Patch 8
Geneva Patch 5
Geneva Patch 7

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2017-11-29 13:46:13
Published:2017-09-25