Hi, > Hi, > > I am looking for help with a strange issue we are experiencing when trying > to use Google APIs from a web application that is deployed on Tomcat > 9.0.83. > > After a few hours of the server being up and running, all calls to the > Google APIs fail because of SSL handshake errors. Attaching the SSL logs > for your reference.
Without knowing exactly how it would look like, are you 100% sure you're not running out of entropy for some reason? At least it doesn't hurt to have available entropy in monitoring some how. Regards, Simon > > I see some differences in the ClientHello message. When the handshake > fails, all TLSv1.3 ciphers are ignored, there is no "session id" and > TLSv1.2 is sent as the only supported version. > > The Tomcat connector configuration is as follows: > <Connector port="8443" > protocol="com.precisionsoftware.tomcat.Http11Nio2Protocol" proxyPort="443" > SSLEnabled="true" > connectionTimeout="60000" > maxThreads="300" > minSpareThreads="50" > acceptCount="250" > maxKeepAliveRequests="1" > maxPostSize="-1" > relaxedQueryChars='[]|{}^\`"<>' > enableLookups="true" > disableUploadTimeout="true" > URIEncoding="UTF-8" > compression="force" > scheme="https" > secure="true" > clientAuth="false" > sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2+TLSv1.3" > keyAlias="1" > keystoreFile="../wildcard_odqad.pfx" > keystorePass="thepassword" > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256"/> > > I updated Tomcat to use the most recent native library - 2.0.7 - but that > did not help. Below an extract from the server log. > > 2024-04-11 02:12:47,507 INFO > [org.apache.catalina.core.AprLifecycleListener:134] (main) Loaded Apache > Tomcat Native library [2.0.7] using APR version [1.7.4]. > 2024-04-11 02:12:47,507 INFO > [org.apache.catalina.core.AprLifecycleListener:134] (main) APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], random > [true], UDS [true]. > 2024-04-11 02:12:47,507 INFO > [org.apache.catalina.core.AprLifecycleListener:134] (main) APR/OpenSSL > configuration: useAprConnector [false], useOpenSSL [true] > 2024-04-11 02:12:47,514 INFO > [org.apache.catalina.core.AprLifecycleListener:370] (main) OpenSSL > successfully initialized [OpenSSL 3.0.13 30 Jan 2024] > > I am not very familiar with the SSL handshake process and do not really > understand what can make it stop working. > > Thanks, > Marcos > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org