PayPal SHA-256 connection error

We process payments with Payment Pro end to end API. The Domino server has been upgraded to the latest version Release 9.0.1FP7.

When we submit an authorization or a payment via Java we receive the following error. “javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure”. I have the submitting agent writing to the log the current java version and it is “HTTP JVM: pwa6460sr16fp30-20160726_01 (SR16 FP30)”.

I have enable DEBUG_SSL_ALL= 3, DEBUG_SSL_HANDSHAKE=2, DEBUG_SSL_CERT=1, DEBUG_SSL_CIPHERS=2 and the results are as follows.

SSLProcessProtocolMessage> Record Content: Handshake (22)

SSLProcessHandshakeMessage Enter> Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 9 Cipher: DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009F)

SSLCalculateTLS12FinishedMessage Enter> senderID: client finished, PRF using SHA384

SSLProcessHandshakeMessage Exit> Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 9 Cipher: DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009F)

SSLAdvanceHandshake Enter> Processed: Finished (20) State: HandshakeFinished (14)

SSLAdvanceHandshake Exit> State HandshakeServerIdle (3)

SSL_Handshake> After handshake2 state HandshakeServerIdle (3)

SSL_Handshake> Using resumed SSL/TLS session

SSL_Handshake> Protocol Version = TLS1.2 (0x303)

SSL_Handshake> Cipher = DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009F)

SSL_Handshake> KeySize = 256 bits

SSL_Handshake> Original Ephemeral Diffie-Hellman key size = 0 bits

SSL_Handshake> Server RSA key size = 2048 bits

SSL_Handshake> Using Extended Master Secret from RFC 7627

SSL_Handshake> TLS/SSL Handshake completed successfully

The error log also includes this entry.

HTTP JVM: Cannot create a session from an agent. For more detailed information, please consult error-log-0.xml located in C:/Lotus/Domino/Data/domino/workspace/logs

This is the entry from the error-log-0.xml file.

SEVERE Cannot create a session from an agent com.ibm.domino.napi.ssl

I have created Java classes on my local machine (which is running Java 8) and submit an authorization or a payment with the same Java code and it works. It seems to me that the handshake is failing because the communication from our server to PayPal’s servers is not being attempted with SHA-256 but I can see no indication of this. I need help. I’m not sure what the problem is.

Subject: Previous version Release 9.0.1FP4

Thank you for taking the time to respond to my post.

The server was upgraded from Release 9.0.1FP4 to Release 9.0.1FP7.

I read the technotes you referenced. I must be misunderstanding something. As I read the technotes they are referencing systems trying to connect to my domino server but that is not the problem I am having. Am I reading them correctly?

I am trying to connect to PayPal’s servers and receive a response but we cannot establish a handshake.

Having said that, I have disabled sslv3 DISABLE_SSLV3=1, I am not getting failed with inappropriate_fallback alert in the Domino console, I set the SSLCipherSpec to SSLCipherSpec=9D9C3D3C676B9E9F and tried SSLCipherSpec=9C3D3C676B9E and no joy.

I’m stumped.

Subject: What version did you upgrade from

There are many technotes on dealing with ssl

http://www-01.ibm.com/support/docview.wss?uid=swg21695998 http://www-01.ibm.com/support/docview.wss?uid=swg21695998

https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration

http://www-01.ibm.com/support/docview.wss?uid=swg21964956 http://www-01.ibm.com/support/docview.wss?uid=swg21964956

http://www-01.ibm.com/support/docview.wss?uid=swg21254333 http://www-01.ibm.com/support/docview.wss?uid=swg21254333

Subject: Did you ever resolve this issue?

I am currently struggling with exactly the same problem.

The payment gateway with which I am attempting to communicate has recently upgraded to enforce mandatory TLS 1.2 communications.

My logic completes fine when run on my Notes client (9.0.1FP10IF3) but not on my Domino server (9.0.1FP6).