KB-1676 SSL error when validating a SQL Server data source on Windows Server 2003

Symptoms

When attempting to validate a SQL Server data source hosted on a Windows Server 2003 Operating System, the process will fail with the following error in the application server log:

com.appiancorp.rdbms.datasource.DataSourceValidationException: java.sql.SQLException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server did not return a response. The connection has been closed. ClientConnectionId:".)
...
Caused by: java.sql.SQLException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server did not return a response. The connection has been closed. ClientConnectionId:".)
...
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server did not return a response. The connection has been closed. ClientConnectionId:".
...
Caused by: java.io.IOException: SQL Server did not return a response. The connection has been closed. ClientConnectionId:

Cause

A recent Oracle JDK patch has added 3DES in the list of legacy algorithms. Given that Windows Server 2003 supports 3DES by default, this will cause calls to the data source to fail.

Action

Update the OS that hosts the data source to a Microsoft supported version.

Workaround

As per the Oracle JDK documentation, remove 3DES from the list of legacy algorithms on the server hosting the Appian application:

On JDK 8 and earlier, edit the <java-home>/lib/security/java.security file and remove 3DES_EDE_CBC from the jdk.tls.legacyAlgorithms security property.

For example, if the current value is:

    jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \
        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
        DH_RSA_EXPORT, RSA_EXPORT, \
        DH_anon, ECDH_anon, \
        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
        3DES_EDE_CBC

The new value after removing 3DES_EDE_CBC would be:

    jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \
        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
        DH_RSA_EXPORT, RSA_EXPORT, \
        DH_anon, ECDH_anon, \
        RC4_128, RC4_40, DES_CBC, DES40_CBC

Note that this is a low-risk change.  It is unlikely to cause a regression since it just affects the order of the negotiated algorithms.  3DES would still be used, if listed on the legacy algorithm list, if no other non-legacy algorithm is available.

Affected Versions

This article applies to all versions of Appian using a SQL Server data source hosted on a Windows Server 2003 Operating System.

Last Reviewed: August 2018

Related
Recommended