Tag Archives: TLS Error

Resolve Error “Some selected protocols are invalid…”

Mule 3.8 supports only TLSv1.1 and TLSv1.2 by default due to vulnerability issues with TLSV1. So, by default only v1.1 and v1.2 TLS are enabled both at the Mule Runtime and the Anypoint Studio settings.

This scenario is applicable when you have a https requestor in your flow and configure it to enable the TLSv1, as the endpoint or service it is going to hit supports only TLSv1 and not the version 1.1 and 1.2.

To reproduce the error, I have intentionally added other properties in “TLS/SSL”. But in normal scenarios, you will be adding the properties for it to work.

tls-error
TLS Setting V1. Other properties are intentionally set blank.

Now when I run my application it gives the error saying “some selected protocols are invalid…..”.

Error:

org.mule.api.lifecycle.InitialisationException: Some selected protocols are invalid. Valid protocols according to your TLS configuration file are: TLS
v1.1, TLSv1.2
	at org.mule.transport.ssl.DefaultTlsContextFactory.globalConfigNotHonored(DefaultTlsContextFactory.java:106) ~[mule-transport-ssl-3.8.0.jar:3.8.0]
	at org.mule.transport.ssl.DefaultTlsContextFactory.initialise(DefaultTlsContextFactory.java:80) ~[mule-transport-ssl-3.8.0.jar:3.8.0]
	at org.mule.api.lifecycle.LifecycleUtils.initialiseIfNeeded(LifecycleUtils.java:57) ~[mule-core-3.8.0.jar:3.8.0]
	at org.mule.api.lifecycle.LifecycleUtils.initialiseIfNeeded(LifecycleUtils.java:35) ~[mule-core-3.8.0.jar:3.8.0]
	at org.mule.module.http.internal.request.grizzly.GrizzlyHttpClient.configureTlsContext(GrizzlyHttpClient.java:120) ~[mule-module-http-3.8.0.jar:3.8.0
]
	at org.mule.module.http.internal.request.grizzly.GrizzlyHttpClient.initialise(GrizzlyHttpClient.java:105) ~[mule-module-http-3.8.0.jar:3.8.0]
	at org.mule.module.http.internal.request.DefaultHttpRequesterConfig.initialise(DefaultHttpRequesterConfig.java:124) ~[mule-module-http-3.8.0.jar:3.8.
0]

 

The fix is to go and enable the TLSv1 in your Anypoint Studio settings. You can follow the steps here for enabling/disabling TLS settings for Anypoint Studio. If this occurs in your runtime after deploying the application, then follow the same steps by navigating to the runtime folder and browse the “conf” folder and open “tls-default.conf” and edit the values for enabledProtocols.

“enabledProtocols=TLSv1.1,TLSv1.2”

Resolve “SSL handshake error” with Mule

When you are running/deploying Mule 3.8 applications you should note that TLSV1 is disabled by default as it has security vulnerabilities. So any application that you develop should be supporting only TLS1.1 and TLS1.2. If you have a https listener in your application and you want to send a request using the Fiddler, it may complain the following error:

org.mule.module.http.internal.listener.grizzly.MuleSslFilter: SSL handshake error: Client requested protocol TLSv1 not enabled or not supported

The fix for the error should be as follows:

  1. Make sure that the Fiddler version is latest (>= .NET 4.0)
  2. By default Fiddler supports only TLSV1 and so we need to add TLS1.1 and TLS1.2 so that Fiddler sends the request using the server supported TLS version i.e. in our case it is our mule runtime.
  3. Go to “Tools” option in the menu item and click “Fiddler Options“.
  4. Then select “HTTPS” folder.
  5. If the checkbox “Decrypt HTTPS traffic” is not checked, then check it.
  6. You should see “Protocols” with a hyperlink to click.
  7. Click on the link and add this text or append to the existing text: “<client>;ssl3;tls1.0;tls1.1;tls1.2”.
  8. Then CLOSE and RE-OPEN the Fiddler. You should be good sending requests to your Mule application now.

Here are the screenshots:

Fiddler
Figure 1

 

Fiddler1
Figure 2

Hope this helps!