I am seeing a SSL handshake failure in my logs. What would cause a SSL handshake to fail?
There are three reasons a SSL handshake could fail -
1. Certificates - As a client, MFT may not be presenting the certificate that is being requested by the server. In this case, you need to request the desired certificate from the server side and present that certificate in future requests.
As a server, MFT may not trust the certificate that is being presented by the client. If this certificate is not signed by a CA, the certificate will need to be imported into the Key Management System or the File Based Key's Trusted Key Store. In order to import a certificate, please navigate to Encryption --> Key Management System. Please select your desired Key Vault. You will then click 'Import,' and import the key from your file system.
To import a certificate into the KMS –
To import into a File Based Keys Trusted Key Store –
2. TLS Version Incompatibilities - The client and server need to agree on the TLS versions they will use during their connection. If the two sides do not present any of the same TLS versions, the connection will fail.
If you are connecting to a server using a Resource, you will need to specify the necessary SSL Context Protocol in your Resource configuration. Oftentimes, this setting can be found on the 'SSL' tab.
If you are wanting to configure your MFT Service to use a specific SSL Protocol, you will need to specify your desired protocol(s) on the SSL tab of your listener. You will need to save and restart the Service after making this configuration change.
3. SSL Cipher Suite Incompatibilities - If the client and server do not present compatible cipher suites, the handshake will fail. Both sides need to present the same cipher suites for a successful connection.
In an SSL handshake, the client will first provide all available ciphers suites. MFT Resources will use ciphers suites provided by the JVM and present them to the server. Using the list of presented ciphers, the server will select a desired cipher suite to use for the connection.
In order to change the cipher suites presented by the MFT Service, you will need to specify your desired cipher suites in your Service listener. If you do not want to use the default JVM Cipher Suites, you will move your desired cipher suites to the 'Selected' column. You will need to save and restart the Service after making this configuration change.