What is the blocker for TLS 1.2 for Mac OS RTC Client
Under a corporate mandate to enable TLSv1.2 on our CLM applications. In https://jazz.net/help-dev/clm/index.jsp?re=1&topic=/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_rtc.html&scope=null one finds:
Limitations
- Rational Team Concert Eclipse client for Mac OS X
- Quality Management Microsoft Word and Excel client
- Cognos
Accepted answer
I think I have found the solution and there is no need to raise an enhancement request - the RTC 6.0.3 Client for Eclipse 4.2.x IDE works perfectly with TLSv1.2, and it even comes bundled with a JDK 1.7 (Oracle Java SE 1.7.0_101).
The whole thing appears to be related to the Eclipse 3.6 RCP that the older versions of RTC are based on. This version of Eclipse can only execute (Apple) Java 1.6, which does not provide TLSv1.2 support. I can confirm that it refuses to honor the "-vm" parameter in either the eclipse.ini or the Info.plist file.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=339788
It is easy to see this by adding or modifying the below line in the eclipse.ini file.
-Dosgi.requiredJavaVersion=1.7
You will then get the below error message when launching RTC. Note that 1.6.0_65 is the Apple Java version, and all other installed JVMs (OpenJDK and Oracle Java) are ignored.
Version 1.6.0_65 of the JVM is not suitable for this product.
So, if you can use RTC 6.0.3 Client for Eclipse 4.2.x IDE, use it. Otherwise, use an Eclipse 4.2 base and install RTC on top of it - verify that the Eclipse base can be launched with Java 7 or 8 first.
Comments
Thank you, Donald. I presumed that the version of Java in use had more to do with making a TLS v1.2 connection than the RTC client features. I passed this info along to a MacOS user, but with the suggestion to maybe try Eclipse Luna + RTC 6.0.2 P2 ( I use that combination daily on my RHEL 6.8 platform ). We're on 6.0.2 so even though 6.0.3 would do the TLS....
That's right. If you look at the stack trace in the other answer that I posted, you will see that the "TLSv1.2 SSLContext not available" error is thrown by Java itself. That actually prompted me to do further research and find out the information that I posted in this answer.
One other answer
You should raise an enhancement request to the RTC development, I believe. If I enable debugging, here is what I see in the .log file.
!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.206
!MESSAGE SSL Algorithm Priority: [TLSv1.2]
!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.206
!MESSAGE Creating TLSv1.2 context
!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.207
!MESSAGE TLSv1.2 SSLContext not available
!STACK 0
java.security.NoSuchAlgorithmException: TLSv1.2 SSLContext not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at com.ibm.team.repository.transport.client.SSLUtils.createSSLContext(SSLUtils.java:207)
at com.ibm.team.repository.transport.client.SSLUtils.createSSLContext(SSLUtils.java:168)
at com.ibm.team.repository.transport.client.SSLUtils.createSSLContext(SSLUtils.java:135)
at com.ibm.team.repository.client.util.FormBasedAuth.setupSSLSupport(FormBasedAuth.java:331)
at com.ibm.team.repository.client.util.RepositoryUtil.getRepositoryId2(RepositoryUtil.java:109)
at com.ibm.team.repository.client.internal.TeamRepositoryService.connectToAndUpdateTeamRepository(TeamRepositoryService.java:401)
at com.ibm.team.repository.client.internal.TeamRepositoryService.getTeamRepositoryWithOverride(TeamRepositoryService.java:180)
at com.ibm.team.process.rcp.ui.RepositoryCreationPage.createNewRepository(RepositoryCreationPage.java:235)
at com.ibm.team.process.rcp.ui.RepositoryCreationPage.create(RepositoryCreationPage.java:201)
at com.ibm.team.process.rcp.ui.RepositoryCreationPage$1.run(RepositoryCreationPage.java:130)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.207
!MESSAGE Failed to create TLSv1.2 context
!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.207
!MESSAGE No acceptable encryption algorithm found
!ENTRY com.ibm.team.repository.client 1 800 2017-04-13 15:02:01.208
!MESSAGE CRJAZ0053I The identifier for the repository identified by "https://clm603.example.com:9443/ccm" could not be contacted: No acceptable encryption algorithm found
(The last message is what I see on the RTC UI).
While not the exact source code, you can see the logic of the code here.
https://github.com/jenkinsci/teamconcert-plugin/blob/master/com.ibm.team.build.hjplugin/src/main/java/com/ibm/team/build/internal/hjplugin/util/SSLContextUtil.java
So the error is thrown well before an SSL handshake is made. I can confirm that there is no TCP/IP traffic happening before the error occurs.
Comments
Kevin Ramer
Feb 11 '16, 2:40 p.m.So, no one knows ?
Kim Soederhamn
Feb 15 '16, 6:42 a.m.Maybe you need to raise a request for enhancement to get TLS working with eclipse on MAC OS.
Kevin Ramer
Feb 15 '16, 10:05 a.m.With Rational or Eclipse Development ?
Kevin Ramer
Apr 12 '17, 4:01 p.m.No one ever said where the enhancement should be opened...
FWIW: I unzipped a 6.0.2 macos 64 bit and I can use the scm utility to successfully connect to a TLSv1.2 enabled server and do query ( e.g. list workspaces ) w/o issue.
However, users of our applications with MacOS cannot use Eclipse IDE. I can't verify on mac as I can't successfully connect to the "display"