TLSv1.2 handshake failure on outgoing connections
Environments:
* Mac OS X 10.10.5; Tomcat 7.0.67, 8.0.30; Java 1.8.0_60
* RHEL 6 (Kernel 2.6.32); Tomcat 7.0.67; Java 1.8.0_60
Problem:
Making an outgoing HTTPS connection from Axis2 client code living inside the
war, I get a failure during the TLSv1.2 handshake saying “Could not generate DH
keypair”. Unlike most examples I found online, there was no additional
information about the key size. The same client code when run from a unit test
using plain Java works just fine. Below are snippets of one difference I
noticed with the Server key in the logs:
Running from within Tomcat:
*** ECDH ServerKeyExchange
Signature Algorithm SHA1withRSA
Server key: Sun EC public key, 256 bits
public x coord:
112918107330736490567973848952126837545983212398065462286267971433368342872647
public y coord:
30155777565237297899065179509488316850099974838272315813007505317208002177712
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
http-bio-8080-exec-6, handling exception: java.lang.RuntimeException: Could not
generate DH keypair
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-bio-8080-exec-6, SEND TLSv1.2 ALERT: fatal, description = internal_error
Running from plain Java (within IntelliJ as a JUnit test in case that matters):
*** ECDH ServerKeyExchange
Signature Algorithm SHA1withRSA
Server key: EC Public Key
X: 726ad077a87d97604c4507989bb1d6c4715ee23399e42543e19dc39048abe3cb
Y: 904cde963f872bd32691e86565e6f0ab09ebf833ee93edd0200a9d81299410e2
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 19, 187, 197, 193, 165, 157, 121, 79, 161, 160, 25,
239, 100, 105, 199, 101, 160, 54, 96, 128, 159, 61, 83, 144, 237, 233, 235,
118, 100, 47, 50, 85, 98, 192, 79, 174, 211, 10, 218, 35, 207, 203, 3, 88, 41,
100, 126, 223, 10, 139, 18, 101, 59, 243, 152, 125, 4, 241, 201, 153, 232, 172,
74, 0 }
main, WRITE: TLSv1.2 Handshake, length = 70
Note the difference in the "Server key". Is Tomcat somehow intercepting the
outgoing connection and handling it itself? If so, where would I configure the
security settings for that type of connection? Everything I've been able to
find relates to configuring Tomcat as the server not as the client for
SSL/TLS-related things. Please let me know if there is more information that
would help!
Thank you,
Dan Hrivnak
All information in this message is confidential and may be legally privileged.
Only intended recipients are authorized to use it.
Query regarding HAProxy + Embedded Tomcat(8.0.20)
Hi, I am seeing periodic latency spikes in HAProxy logs. Latency spike correspond to high *TC* (Backend connect time ) times (all ranging from *1000-1010* ms). Suspecting some kind of timeout happening but doesnt know which one. Following is the HAProxy configuration Current HAProxy config timeouts: retries 3 timeout http-request10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 5m timeout http-keep-alive 100s timeout check 10s maxconn 1 while analyzing HAProxy logs, i have seen a pattern in TC occurances. each tomcat server have TC for all HAproxy at some second. so issues seems to be with tomcat config. i am using default config of embedded tomcat (8.0.20) in my infra, there are 3 HAProxy servers(for load balancing) 3 embedded tomcat servers Please suggest if someone knows whats going wrong in the system ? Thanks, Salman
Re: Problem With proxi.cgi
Luciano, On 1/20/16 1:57 AM, Luciano Martin Galletti wrote: > But when i call the proxy from my application in openlayers > the html file is under: > C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\examples\js\ac > > and i call the proxy in this way: > OpenLayers.ProxyHost = "../../cgi-bin/proxy.cgi?url="; > > i recieve: > HTTP Status 502 - type Status report > message > description This server received an invalid response from a server it > consulted when acting as a proxy or gateway. > Apache Tomcat/7.0.67 > > Why? Are you using proxi.cgi internally by your own web application? Or are you trying to proxy requests from a remote client to another server? (Or Both?) -chris >> From: gallett...@hotmail.com >> To: users@tomcat.apache.org >> Subject: RE: Problem With proxi.cgi >> Date: Wed, 20 Jan 2016 06:52:51 + >> >> yes >> >> C:\Program Files\Apache Software Foundation\Tomcat >> 7.0\webapps\examples\WEB-INF\cgi >> >> and >> http://localhost:8080/examples/cgi-bin/proxy.cgi >> now i see the openlayers website :) >> >> Thanks >> >>> Subject: Re: Problem With proxi.cgi >>> To: users@tomcat.apache.org >>> From: ma...@apache.org >>> Date: Tue, 19 Jan 2016 22:45:46 + >>> >>> On 19/01/2016 19:21, Luciano Martin Galletti wrote: Sorry was a typo error read this Ok now i've web.xml under C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\examples\WEB-INF and context.xml under C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\examples\META-INF but same problem of before i read the file .cgi as text on http://localhost:8080/examples/cgi/proxy.cgi >>> >>> And what is the full path of the CGI file? >>> >>> It should be: >>> C:\Program Files\Apache Software Foundation\Tomcat >>> 7.0\webapps\examples\WEB-INF\cgi\proxy.cgi >>> >>> And then you use: >>> http://localhost:8080/examples/cgi-bin/proxy.cgi >>> >>> to access it. >>> >>> Mark >>> >>> > From: gallett...@hotmail.com > To: users@tomcat.apache.org > Subject: RE: Problem With proxi.cgi > Date: Tue, 19 Jan 2016 19:16:36 + > > Ok now i've web.xml under > C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\examples > > and context.xml under > C:\Program Files\Apache Software Foundation\Tomcat > 7.0\webapps\examples\META-INF > > but same problem of before i read the file .cgi as text > on http://localhost:8080/examples/cgi/proxy.cgi > > >> From: chuck.caldar...@unisys.com >> To: users@tomcat.apache.org >> Subject: RE: Problem With proxi.cgi >> Date: Tue, 19 Jan 2016 18:54:40 + >> >>> From: Luciano Martin Galletti [mailto:gallett...@hotmail.com] >>> Subject: RE: Problem With proxi.cgi >> >>> Yes both xml files are inside >> >> Be precise; exactly which xml files are you referring to? >> >>> C:\Program Files\Apache Software Foundation\Tomcat >>> 7.0\webapps\examples\WEB-INF >> >> As Mark already stated, the context.xml file should be under META-INF, >> not WEB-INF. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail >> and its attachments from all computers. >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > >>> >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache+SSL+ Tomcat How ?
George, On 1/19/16 7:11 PM, George Sexton wrote: > > > On 1/19/2016 3:50 PM, Edwin Quijada wrote: >> Hi! >> >> I have 2 instances Tomcat with Apache in front of him working like >> proxy. Now, I need to know how can I do for using SSL for my app. >> There is any documento to set Apache + SSL for Tomcat to protected my >> info. > > The standard HOWTO for Apache httpd would apply. There's no specific > tomcat differences. +1 If you are using mod_jk, then all the TLS stuff is transparent to Tomcat. In fact, mod_jk specifically will forward by default all the information you will need on the Tomcat side to enforce e.g. CONFIDENTIAL security-constraints. If you decide to use mod_proxy_ajp or mod_proxy_http, you may need additional configuration to forward that information to Tomcat and use it. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Socket Read long running
Rallavagu, On 1/19/16 6:14 PM, Rallavagu wrote: > > > On 1/19/16 2:43 PM, Mark Thomas wrote: >> On 19/01/2016 22:36, Rallavagu wrote: >>> Also, it could be keep-alive for client connection as well. In any case, >>> how long a keep-alive connection will be in this state by default? >>> Thanks. >> >> This behaviour is entirely normal. Why are you concerned about it? > > I was analyzing thread dump as the application experiences sudden high > response times and eventually becomes normal. > >> >> Regarding how long the thread will be in this state, the default >> keep-alive timeout for the HTTP BIO connector can be found in the >> documentation. >> (Yes, I do happen to know what it is but think of this as an exercise >> for the reader.) > > From the documentation keepAliveTimeout defaults to connectionTimeout. > > > "The number of milliseconds this Connector will wait, after accepting a > connection, for the request URI line to be presented. Use a value of -1 > to indicate no (i.e. infinite) timeout. The default value is 6 (i.e. > 60 seconds) but note that the standard server.xml that ships with Tomcat > sets this to 2 (i.e. 20 seconds). Unless disableUploadTimeout is set > to false, this timeout will also be used when reading the request body > (if any)." You might want to consider switching to an NIO-based connector. The NIO-based connectors do not block a request-processing thread during the keep-alive wait time, so fewer threads can handle the same number of actual incoming requests (instead of waiting-around potentially doing no additional work). You may still have a response-time problem after that, but it won't be due to the threading model. If your load-balancer configured to maintain keep-alive connections to your Tomcat instance(s)? If so, what are the details of that configuration? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
