VERIFIED SOLUTION i

'The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: SQL Server returned an incomplete response. The connection has been closed.' message in EngageOne Server

EngageOne 3.1.2 build 13

Windows 7 or Windows Server 2008

SQL server 2008

Issue

Customer is receiving the following SQL connection error in their app server log and batch log when running accumulated batch:

'The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: SQL Server returned an incomplete response. The connection has been closed.'

The error is sporadic and goes away when running the batch job again. Engineering recommended to turn on SSL debugging for a better analysis:

To turn on SSL debugging, add the following to line 16 of the run.bat file:

-Djavax.net.debug=ssl:handshake:verbose

For example:
%JAVA_HOME%\bin\java -Djavax.net.debug=ssl:handshake:verbose -cp .;e1-server-batch.jar;%ADDTL_CP% -Xmx512m com.pb.engageone.server.batch.Runner -domain %1 -channel %2



 

Cause

On June 2016, Microsoft rolled out security update KB3172605:  https://support.microsoft.com/en-us/kb/3172605

In this security update, Microsoft introduced some changes into SSL ciphers which unfortunately are broken, and removing the patch doesn't solve the problem because those ciphers remain in the system.

Name of ciphers:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

When looking at the SSL debugging log created above, we can see the cipher being used by SQL Server:

Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA

You can also use the link below to find the list of ciphers being used in your system:

http://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/


 

Resolution

UPDATED: July 1, 2019
To solve this issue, user will need to remove these by manually deleting them (or wait for an upcoming patch which will probably fix them).

To manually delete these, please use the link below:

http://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/


Please keep in mind that these ciphers could be located in any server that interacts with EngageOne (i.e. Database server, application server, client server, etc.) The user will need to make sure to check EVERY server for the problematic cipher.