After configuring Spotfire Server to use HTTPS, end users are not able to login using Analyst client. All users are still able to successfully login using Web Player in web browsers.
In Analyst client, the following error message is displayed:
---------------------------
Windows Security: TIBCO Spotfire - Select certificate
Select the certificate to use for authenticating with the server '<your-spotfire-server>'.
No certificate available
No certificates meet the application criteria
Click OK to continue
---------------------------
More details dialog box shows error:
---------------------------
Error message: Could not connect to server 'https://<your-spotfire-server>' to download manifest.
ManifestWebException at Spotfire.Dxp.Services:
Could not connect to server 'https://<your-spotfire-server>' to download manifest. (HRESULT: 80131509)
Stack Trace:
at Spotfire.Dxp.Services.ManifestReader.DownloadAndParse(ResponseCreator responseCreator, Action`1 metadataRequestAction)
at Spotfire.Dxp.Services.ManifestReader.GetReader(Uri uri, ResponseCreator responseCreator, Action`1 metadataRequestAction)
at Spotfire.Dxp.Framework.Login.LoginInfo.UpdateWithNewServerAndDownloadManifest(Uri serverUri)
at Spotfire.Dxp.Loader.EditServerControl.OkButtonClick(Object sender, EventArgs e)
WebException at System:
The request was aborted: Could not create SSL/TLS secure channel. (HRESULT: 80131509)
Stack Trace:
at System.Net.HttpWebRequest.GetResponse()
...
---------------------------
The following error is reported in Analyst client log:
---------------------------
2022-01-13T18:18:04,781+00:00 2022-01-13 18:18:04,781 [DXP Splash Thread 2] DEBUG Spotfire.Dxp.Services.Http.SpotfireRequest [(null)] - Creating request to 'https:<your-spotfire-server>/spotfire/manifest'.
2022-01-13T18:18:04,792+00:00 2022-01-13 18:18:04,792 [DXP Splash Thread 2] INFO Spotfire.Dxp.Services.Http.NetHttpLogging+System.Net [(null)] - Error: [17340] Exception in HttpWebRequest#64855826::GetResponse - The request was aborted: Could not create SSL/TLS secure channel..
2022-01-13T18:18:04,792+00:00 2022-01-13 18:18:04,792 [DXP Splash Thread 2] WARN Spotfire.Dxp.Services.Http.HttpClient [(null)] - ExecuteNonSpotfireServerRequestWithRetry(https://<your-spotfire-server>/spotfire/manifest, RequestId , User ):
Failed to make request, giving up. Status: SecureChannelFailure, HResult: -2146233079, Response: ---.
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
---------------------------
Resolution:
This error can occur when Spotfire Server was upgraded and Tomcat's server.xml file, or parts of it, were reused. It's possible that some cipher suites that are specified in older version of Spotfire, or even in default cipher list included in current version, are not allowed by local Windows security policy. The resolution usually involves removing cipher suites that are considered weak or not allowed by local security policies from <spotfire-home>\tss\<version>\tomcat\conf\server.xml:
How to disable weak cipher suites which are used to encrypt the traffic between the Web player client and the Spotfire server:
https://support.tibco.com/s/article/How-to-disable-weak-cipher-suites-which-are-used-to-encrypt-the-traffic-between-the-Web-player-client-and-the-Spotfire-server
It is not possible to identify or recommend a specific cipher list that will resolve this issue in every Spotfire environment, because one needs to verify and confirm that Spotfire is configured to use only ciphers that are permitted by local security policies.
For example, the following ciphers list can be used in Spotfire 11.4 in more restricted environments:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
The list of ciphers above removes 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384', which are included in default Spotfire 11.4 configuration, but might not be allowed by local security policy. Default cipher list in Spotfire 11.4 is as follows:
ciphers="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"