On TIBCO side, You don't need to install anything. While doing HTTP connection, just point to the directory with trusted certificates. I uploaded only certs from new chain (X1 issued by X1). Anyway while component is trying to establish connection, it is referring to the old chain exactly the same way like openssl, portecle and key explorer. Please check below part of logs from ssl debug during renegotiation:
Send StarkResearch Login Service0, setSoTimeout(361000) called
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1634650892 bytes = { 216, 32, 215, 249, 24, 72, 243, 2, 50, 237, 171, 162, 53, 199, 95, 112, 28, 95, 99, 56, 46, 187, 192, 255, 26, 67, 233, 52 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: stark-research.net]
Extension renegotiation_info, renegotiated_connection:
Send StarkResearch Login Service0, WRITE: TLSv1.2 Handshake, length = 133
Send StarkResearch Login Service0, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie: GMT: -1785615296 bytes = { 109, 193, 16, 83, 229, 225, 218, 128, 117, 135, 236, 46, 186, 123, 185, 230, 135, 205, 142, 202, 193, 119, 186, 86, 196, 225, 204, 193 }
Session ID: {101, 80, 76, 115, 130, 143, 144, 63, 43, 149, 82, 180, 6, 161, 221, 193, 92, 91, 65, 163, 148, 220, 117, 84, 115, 87, 234, 162, 16, 100, 23, 82}
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection:
chain [2] = [
[
Version: V3
Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 4096 bits
modulus: 709477870415445373015359016562426660610553770685944520893298396600226760899977879191004898543350831842119174188613678136510262472550532722234131754439181090009824131001234702144200501816519311599904090606194984753842587622398776018408050245574116028550608708896478977104703101364577377554823893350339376892984086676842821506637376561471221178677513035811884589888230947855482554780924844280661412982827405878164907670403886160896655313460186264922042760067692235383478494519985672059698752915965998412445946254227413232257276525240006651483130792248112417425846451951438781260632137645358927568158361961710185115502577127010922344394993078948994750404287047493247048147066090211292167313905862438457453781042040498702821432013765502024105065778257759178356925494156447570322373310256999609083201778278588599854706241788119448943034477370959349516873162063461521707809689839710972753590949570167489887658749686740890549110678989462474318310617765270337415238713770800711236563610171101328052424145478220993016515262478543813796899677215192789612682845145008993144513547444131126029557147570005369943143213525671105288817016183804256755470528641042403865830064493168693765438364296560479053823886598989258655438933191724193029337334607
public exponent: 65537
Validity: [From: Wed Jan 20 20:14:03 CET 2021,
To: Mon Sep 30 20:14:03 CEST 2024]
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
SerialNumber: [ 40017721 37d4e942 b8ee76aa 3c640ab7]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]
Finally even Support from Stark-Research confirmed that chain from host is not valid.
Regards, Krystian