I have put the TSAPI.PRO file in the classpath of my application and updated the file with the truststore details but when i attempt to connect to AES I get the error "The TLS connection was closed because a network-level error occured during the SSL handshake; java.net.SocketException: Connection reset.TsapiPlatformException" Any suggestions what could the issue be.

Two paths of investigation that I would suggest are:

1. Check the CA certificate in your truststore to make sure it is correct, valid and not expired.
2. Use Wireshark to see the certificates being sent by AE Services. Make sure the CA cert being sent matches the cert in your truststore.

Martin

I have already verified that the valid CA certificate is imported to my truststore. I have access to the client only through a putty terminal, I am not sure how to use wireshark from it. We are using certificates generated from System Manager on both AES and client.

You will probably need to use tethereal, tcpdump or similar to generate a pcap file on the client machine. Then copy it to your own PC so that you can open it with Wireshark.

Martin

I have pasted the output of tcpdump here, please let me know if I am using the right command and the output looks ok ?

[root@lab0540 bin]# tcpdump -i eth0 -v host aes7.engcti.com
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:55:34.804475 IP (tos 0x0, ttl 64, id 45957, offset 0, flags [DF], proto TCP (6), length 60)
lab0540.39866 > 10.61.1.53.tserver: Flags [S], cksum 0x371e (correct), seq 657722053, win 65535, options [mss 1460,sackOK,TS val 2606479680 ecr 0,nop,wscale 13], length 0
01:55:34.805301 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
10.61.1.53.tserver > lab0540.39866: Flags [S.], cksum 0xc8be (correct), seq 1353656130, ack 657722054, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
01:55:34.805323 IP (tos 0x0, ttl 64, id 45958, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.39866 > 10.61.1.53.tserver: Flags [.], cksum 0x7b41 (correct), ack 1, win 96, length 0
01:55:34.805885 IP (tos 0x0, ttl 64, id 45959, offset 0, flags [DF], proto TCP (6), length 67)
lab0540.39866 > 10.61.1.53.tserver: Flags [P.], cksum 0xecff (incorrect -> 0x181a), seq 1:28, ack 1, win 96, length 27
01:55:34.806277 IP (tos 0x0, ttl 63, id 3760, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.tserver > lab0540.39866: Flags [.], cksum 0x7aa1 (correct), ack 28, win 229, length 0
01:55:34.862942 IP (tos 0x0, ttl 63, id 3761, offset 0, flags [DF], proto TCP (6), length 153)
10.61.1.53.tserver > lab0540.39866: Flags [P.], cksum 0xcc31 (correct), seq 1:114, ack 28, win 229, length 113
01:55:34.863003 IP (tos 0x0, ttl 64, id 45960, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.39866 > 10.61.1.53.tserver: Flags [.], cksum 0x7ab5 (correct), ack 114, win 96, length 0
01:55:34.863391 IP (tos 0x0, ttl 64, id 45961, offset 0, flags [DF], proto TCP (6), length 66)
lab0540.39866 > 10.61.1.53.tserver: Flags [P.], cksum 0xecfe (incorrect -> 0x2391), seq 28:54, ack 114, win 96, length 26
01:55:34.863617 IP (tos 0x0, ttl 63, id 3762, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.tserver > lab0540.39866: Flags [.], cksum 0x7a16 (correct), ack 54, win 229, length 0
01:55:34.863669 IP (tos 0x0, ttl 64, id 45962, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.39866 > 10.61.1.53.tserver: Flags [F.], cksum 0x7a9a (correct), seq 54, ack 114, win 96, length 0
01:55:34.864207 IP (tos 0x0, ttl 64, id 53218, offset 0, flags [DF], proto TCP (6), length 60)
lab0540.59994 > 10.61.1.53.fpo-fns: Flags [S], cksum 0x6e6a (correct), seq 852129438, win 65535, options [mss 1460,sackOK,TS val 2606479740 ecr 0,nop,wscale 13], length 0
01:55:34.864426 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
10.61.1.53.fpo-fns > lab0540.59994: Flags [S.], cksum 0x73c1 (correct), seq 966052578, ack 852129439, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
01:55:34.864457 IP (tos 0x0, ttl 64, id 53219, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.59994 > 10.61.1.53.fpo-fns: Flags [.], cksum 0x2644 (correct), ack 1, win 96, length 0
01:55:34.865470 IP (tos 0x0, ttl 63, id 3763, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.tserver > lab0540.39866: Flags [F.], cksum 0x7a14 (correct), seq 114, ack 55, win 229, length 0
01:55:34.865499 IP (tos 0x0, ttl 64, id 45963, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.39866 > 10.61.1.53.tserver: Flags [.], cksum 0x7a99 (correct), ack 115, win 96, length 0
01:55:34.869574 IP (tos 0x0, ttl 64, id 53220, offset 0, flags [DF], proto TCP (6), length 101)
lab0540.59994 > 10.61.1.53.fpo-fns: Flags [P.], cksum 0xed21 (incorrect -> 0x6383), seq 1:62, ack 1, win 96, length 61
01:55:34.869819 IP (tos 0x0, ttl 63, id 57549, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.fpo-fns > lab0540.59994: Flags [.], cksum 0x2582 (correct), ack 62, win 229, length 0
01:55:34.869996 IP (tos 0x0, ttl 63, id 57550, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.fpo-fns > lab0540.59994: Flags [R.], cksum 0x257e (correct), seq 1, ack 62, win 229, length 0
01:55:34.899070 IP (tos 0x0, ttl 64, id 41795, offset 0, flags [DF], proto TCP (6), length 60)
lab0540.39870 > 10.61.1.53.tserver: Flags [S], cksum 0x01fb (correct), seq 1272781532, win 65535, options [mss 1460,sackOK,TS val 2606479775 ecr 0,nop,wscale 13], length 0
01:55:34.899608 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
10.61.1.53.tserver > lab0540.39870: Flags [S.], cksum 0xbff2 (correct), seq 953291559, ack 1272781533, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
01:55:34.899630 IP (tos 0x0, ttl 64, id 41796, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.39870 > 10.61.1.53.tserver: Flags [.], cksum 0x7275 (correct), ack 1, win 96, length 0
01:55:34.900131 IP (tos 0x0, ttl 64, id 41797, offset 0, flags [DF], proto TCP (6), length 67)
lab0540.39870 > 10.61.1.53.tserver: Flags [P.], cksum 0xecff (incorrect -> 0x0f4e), seq 1:28, ack 1, win 96, length 27
01:55:34.900425 IP (tos 0x0, ttl 63, id 14713, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.tserver > lab0540.39870: Flags [.], cksum 0x71d5 (correct), ack 28, win 229, length 0
01:55:34.968394 IP (tos 0x0, ttl 63, id 14714, offset 0, flags [DF], proto TCP (6), length 153)
10.61.1.53.tserver > lab0540.39870: Flags [P.], cksum 0xc365 (correct), seq 1:114, ack 28, win 229, length 113
01:55:34.968463 IP (tos 0x0, ttl 64, id 41798, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.39870 > 10.61.1.53.tserver: Flags [.], cksum 0x71e9 (correct), ack 114, win 96, length 0
01:55:34.968881 IP (tos 0x0, ttl 64, id 41799, offset 0, flags [DF], proto TCP (6), length 66)
lab0540.39870 > 10.61.1.53.tserver: Flags [P.], cksum 0xecfe (incorrect -> 0x1ac5), seq 28:54, ack 114, win 96, length 26
01:55:34.968989 IP (tos 0x0, ttl 64, id 41800, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.39870 > 10.61.1.53.tserver: Flags [F.], cksum 0x71ce (correct), seq 54, ack 114, win 96, length 0
01:55:34.969586 IP (tos 0x0, ttl 63, id 14715, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.tserver > lab0540.39870: Flags [.], cksum 0x714a (correct), ack 54, win 229, length 0
01:55:34.969988 IP (tos 0x0, ttl 63, id 14716, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.tserver > lab0540.39870: Flags [F.], cksum 0x7148 (correct), seq 114, ack 55, win 229, length 0
01:55:34.970003 IP (tos 0x0, ttl 64, id 41801, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.39870 > 10.61.1.53.tserver: Flags [.], cksum 0x71cd (correct), ack 115, win 96, length 0
01:55:34.971046 IP (tos 0x0, ttl 64, id 4657, offset 0, flags [DF], proto TCP (6), length 60)
lab0540.59998 > 10.61.1.53.fpo-fns: Flags [S], cksum 0xc4b7 (correct), seq 2799021014, win 65535, options [mss 1460,sackOK,TS val 2606479847 ecr 0,nop,wscale 13], length 0
01:55:34.971309 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
10.61.1.53.fpo-fns > lab0540.59998: Flags [S.], cksum 0x004b (correct), seq 82758071, ack 2799021015, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
01:55:34.971326 IP (tos 0x0, ttl 64, id 4658, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.59998 > 10.61.1.53.fpo-fns: Flags [.], cksum 0xb2cd (correct), ack 1, win 96, length 0
01:55:34.973591 IP (tos 0x0, ttl 64, id 4659, offset 0, flags [DF], proto TCP (6), length 101)
lab0540.59998 > 10.61.1.53.fpo-fns: Flags [P.], cksum 0xed21 (incorrect -> 0xdbd1), seq 1:62, ack 1, win 96, length 61
01:55:34.973848 IP (tos 0x0, ttl 63, id 58144, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.fpo-fns > lab0540.59998: Flags [.], cksum 0xb20b (correct), ack 62, win 229, length 0
01:55:34.973961 IP (tos 0x0, ttl 63, id 58145, offset 0, flags [DF], proto TCP (6), length 40)
10.61.1.53.fpo-fns > lab0540.59998: Flags [R.], cksum 0xb207 (correct), seq 1, ack 62, win 229, length 0
01:55:42.517042 IP (tos 0x0, ttl 63, id 54797, offset 0, flags [DF], proto TCP (6), length 66)
10.61.1.53.cma > lab0540.45654: Flags [P.], cksum 0x1f17 (correct), seq 1065397843:1065397869, ack 2288981294, win 237, length 26
01:55:42.517158 IP (tos 0x0, ttl 64, id 59406, offset 0, flags [DF], proto TCP (6), length 40)
lab0540.45654 > 10.61.1.53.cma: Flags [.], cksum 0x80ae (correct), ack 26, win 96, length 0

I'm not very familiar with using tcpdump. I think there should be an option to write the output to a file. There may also be options controlling how much data to generate.

Martin

I have ran tcpdump and capture the output in the attached file. i was able to open it through wireshark but i am unable to find why i am recieving the error. Can you please check and let me know your suggestions.

That is not a service that we can provide on a free forum. If you are a paid member, you can open a technical support ticket and one of my colleagues will take a look.

Martin

I had a quick look and I see that the Client Hello message coming from the client is offering to use TLS 1.0. This version of TLS has been obsolete for some time as it is not secure. By default, any recent version of AE Services will reject this, as yours is doing.

I do not know what controls the version of TLS being offered by the client. It may be any one of:
o The version of JTAPI you are using
o The version of Java on the client
o The OS on the client
o Some configuration on the client

In any case, you will need to sort this out. Everyone should be using TLS1.2 by now.

As a SHORT TERM WORKAROUND, you should be able to configure AE Services to accept TLS 1.0. Only do this in a lab (not production) or else you may as well use an unsecured connection:

On the AE Services web interface, use the Networking->Ports menu. Tick the box beside "Support TLSv1.0 Protocol". Then click "Apply Changes" and follow the instructions. This should allow you to get (at least a bit) further in testing.

Martin

Thanks a lot Martin, after enabling TLS1.0 in our AES it started working.