Environment
Verastream Host Integrator 7.7 Service Pack 1 (7.7.1031)
Situation
After installing Verastream Host Integrator (VHI) 7.7 Service Pack 1, JDBC connections to a Microsoft SQL Server continue to work successfully in VHI event handler code when tested in the VHI Design Tool, but fail when the model is deployed to the VHI server. This exception is seen in error handler console output:
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "protocol_version(70)". ClientConnectionId:33d8d71d-b0e9-4be4-84d8-bd3b237111a0
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2670)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1837)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2257)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1921)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1762)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1077)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:623)
at LcCheckStatus.clientSessionCreated(LcCheckStatus.java:170)
at com.wrq.vhi.script.engine.events.ClientSessionCreatedEventImpl.fireEvent(ClientSessionCreatedEventImpl.java:78)
at com.wrq.vhi.script.engine.SessionProxy.performScriptUpcall(SessionProxy.java:483)
at com.wrq.vhi.script.engine.SessionProxy.runQueuedTasks(SessionProxy.java:133)
at com.wrq.vhi.script.engine.dispatch.SessionWorker.run(SessionWorker.java:130)
Caused by: org.bouncycastle.tls.TlsFatalAlert: protocol_version(70)
at org.bouncycastle.jsse.provider.ProvTlsClient.notifyServerVersion(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.receiveServerHelloMessage(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1767)
... 10 more
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2670)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1837)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2257)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1921)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1762)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1077)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:623)
at LcCheckStatus.clientSessionCreated(LcCheckStatus.java:170)
at com.wrq.vhi.script.engine.events.ClientSessionCreatedEventImpl.fireEvent(ClientSessionCreatedEventImpl.java:78)
at com.wrq.vhi.script.engine.SessionProxy.performScriptUpcall(SessionProxy.java:483)
at com.wrq.vhi.script.engine.SessionProxy.runQueuedTasks(SessionProxy.java:133)
at com.wrq.vhi.script.engine.dispatch.SessionWorker.run(SessionWorker.java:130)
Caused by: org.bouncycastle.tls.TlsFatalAlert: protocol_version(70)
at org.bouncycastle.jsse.provider.ProvTlsClient.notifyServerVersion(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.receiveServerHelloMessage(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1767)
... 10 more
Resolution
Download and install a TLS 1.2 hotfix to update the version of Microsoft SQL Server you are using: https://support.microsoft.com/en-ca/help/3135244/tls-1-2-support-for-microsoft-sql-server
Cause
Older versions of Microsoft SQL Server need to have a hotfix applied in
order to be compatible with the new Bouncy Castle security
implementation introduced in VHI 7.7 Service Pack 1. TLS 1.2 JDBC connections to SQL Server that were successful using the original VHI 7.7 release will result in the exception noted above for deployed models at the VHI server when Service Pack 1 is applied. Testing in the Design Tool environment, these JDBC event handler connections to SQL Server will continue to succeed because Bouncy Castle security was not implemented for the Design Tool in VHI 7.7 Service Pack 1, only for the VHI server.
On Windows 7 clients and Windows
Server 2008 R2 servers, note additional registry settings are required to
enable TLS 1.2 for SQL Server communication. For more information: https://support.microsoft.com/en-ca/help/3135244/tls-1-2-support-for-microsoft-sql-server