ServiceNow is continually updating the Java release versions used by our service to manage risk due to known exploits and vulnerabilities. Recently, Oracle began to deactivate functionality related to encryption ciphers and protocols with known exploits. As we roll out these updates in our environment, instances leveraging these combinations may be impacted. When an instance is impacted, you will experience SSL Handshake Exception errors as the protocol negotiation fails, resulting in connection timeouts and failures.
For more information, see the documentation available on the Oracle Java documentation site (for example, Diagnosing TLS, SSL, and HTTPS).
Steps to Reproduce
When an instance is impacted by this issue, the following error appears in the integration logs:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
This issue occurs when the remote endpoint to which your ServiceNow instance is attempting to connect has one of the following:
- The secure channel negotiation attempts SSLv3 and fails when it is not accepted by the instance configuration
- TLSv1.0 may be accepted, but an RC4, MD2, or other unsupported cipher is rejected by the instance configuration
For example, one configuration that failed to work with the new Java security patch returned the results below. Note that the last line shows that only the RC4-SHA cipher is supported for the TLSv1 protocol. The sslscan tool used below can be found on GitHub at https://github.com/tetlowgm/sslscan. Similar utilities for Windows systems can also be found on GitHub.
$ ./sslscan my.ssl.url Testing host: my.ssl.url:https Server cipher order: Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits ADH-AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits ADH-AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits RC4-SHA Accepted TLSv1.1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-SHA
Update any secured endpoints that are accessed by your ServiceNow instance with encryption configurations that meet current industry best practices.
Related Problem: PRB655488