KB40559 - JSAM, Premier Java RDP (Hob) and other Java applets that are accessed via Pulse Connect Secure (PCS) solution fail to launch due to SSL handshake error when High Cipher is selected

JSAM, Premier Java RDP (Hob) and other Java applets that are accessed via PCS device (running 8.1R11.1 or higher, 8.2R8 or higher and 8.3R1 or higher versions only, earlier versions are not impacted by the issue described in this article)  may fail to launch due to SSL handshake error if the PCS device has been configured with 'High' Cipher Suites 

PCS device (running 8.1R11.1, 8.2R8, 8.3R1 and higher versions) that are configured with the predefined list of ciphers labelled 'High Cipher Suite' settings (under Admin GUI  System > Configuration > Security > SSL Options) may experience issues with Java applet based features due to an interoperability issue with Oracle JRE clients.

End-user experience or symptoms when running into this interoperability issue:

1. JSAM, Premier Java RDP (Hob) and other Java Applets accessed via rewrite engine may fail to launch with below message in the Java console
2. Java Client Delivery functionality of PCS which is used to launch various client components (such as Host Checker, Pulse Client, etc)  may fail to launch with below message in the Java console

Note: These are generic failure messages that may appear due to different underlying root cause. However this article only applies if you are running a PCS software version mentioned in the article AND your PCS gateway device only allows 'High' ciphers for TLS (https) communication

Screenshot1: Java Console output when an end-user experiences this issue

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
	at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

Screenshot2: Error when launching Premier Java RDP (Hob) applet

This interoperability issue arose as an unintended side effect of the mitigation for SWEET32 (CVE-2016-2183) as described in SA40312

As part of the mitigation Pulse Secure has moved the 3DES cipher from the 'High Cipher' to 'Medium Cipher' predefined cipher list and Oracle JRE client by default does not support any cipher in Pulse Secure's predefined 'High Cipher' list, thus resulting in https communication error when connecting to PCS devices configured with 'High Ciphers'. Details about this specific Oracle JRE limitation are available at this Oracle website under the section labelled 'Import Limits on Cryptographic Algorithm'

This interoperability issue can be avoided by either configuring the PCS gateway device to allow https communication using a cipher that is support by the default Oracle JRE client or by Installing the JCE files (Oracle's Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files) on each end-user machine.

Option1: Configuring the PCS gateway device to allow https communication using a cipher that is support by the default Oracle JRE client

1. Login to PCS admin console
2. Navigate to System > Configuration > Security > SSL Options
3. Either select the predefined cipher list labelled 'Medium' or select Custom Cipher SSL selection and then add the medium strength ciphers as shown in the screenshot below