Re: installing certificates
Hi Chris and all,
I was able to get my system running based on the instructions at
https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416
. I clarified them a little and put
them into the context of installing my open source project at
https://github.com/ontologyportal/sigmakee/blob/master/Security.txt
all the best,
Adam
On 10/09/2017 03:13 PM, Adam Pease wrote:
Hi Chris,
Many thanks for the quick response! There's a lot of new terminology
(to me) to all this and it's quite confusing I'm afraid.
I tried Let's Encrypt just now but since I'm running Tomcat sites
either I'm not doing it right, or it doesn't know how to verify domains
when they don't answer on port 80. So I get "The server could not
connect to the client to verify the domain :: Timeout"
Following the process at "gethttpsforfree.com" resulted in two long
hex keys: one titled "Signed Certificate" and one titled "Intermediate
Certificate". I'm not sure what a "server certificate" is. Is that a
public/private key pair that I generated at the beginning of this
process with
openssl genrsa 4096 > account.key
or what I did at the beginning of the tomcat instructions
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
But that generates a .keystore file which is already a parameter to the
failing command.
I really appreciate your help.
all the best,
Adam
On 10/09/2017 02:00 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Adam,
On 10/9/17 4:24 PM, Adam Pease wrote:
Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
installation. I'm trying to follow the instructions at
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
HTTPS running under tomcat.
Version mismatch. You want this guide:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
My site runs with a self-signed certificate. Now I'm trying to
install a proper certificate from > https://gethttpsforfree.com/
Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
I've personally done Let's Encrypt.
After the rather lengthy process to generate the "Signed
Certificate" and "Intermediate Certificate" it appears I'm ready to
follow the instructions under the heading "Importing the
Certificate".
BTW, LE is a single command to get a signed certificate.
My first question is whether there is a difference between the
certificates mentioned in
- "import a so called Chain Certificate or Root Certificate into
your keystore"
and
- "After that you can proceed with importing your Certificate."
You have a "server certificate" -- that's yours, and represents you.
There is (usually) another certificate, called the "chain" or
"intermediate" certificate, which represents the Certificate Authority
who signed your certificate.
When your server performs a TLS handshake with the client, it needs to
present a "certificate chain" which includes your server certificate
(the "leaf") and any certificates required to link the server cert to
a root certificate which is stored within the client and already
trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
multiple certificates available to send, and only one "belongs" to you.
I was able to execute the command:
keytool -import -alias root -keystore
-trustcacerts -file
using a single file that has the "Signed Certificate" and
"Intermediate Certificate" from gethttpsforfree. But then I get an
error from the next command
~$ keytool -import -alias tomcat -keystore .keystore -file
chained.pem Enter keystore password: keytool error:
java.lang.Exception: Certificate reply does not contain public key
for
Which file is which? Looks like you imported the chain twice.
When I run
~$ keytool -list -v
I see (in part)
Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
CN=Adam Pease
I'm very new to certificates. Could someone point me in the right
direction?
Java keystores are a nightmare... it's not your fault. ;)
It looks like you didn't successfully import the CA's
root/intermediate certificate. Can you reply with some more specifics?
What files do you have from the CA, what keystore(s) do you have, and
what are the exact commands you are running? You've left-out some
important details from your post above.
Here's what I have in my "Java Keystore Cheat Cheet":
Create your server key and self-signed cert:
$ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
-alias ${HOSTNAME} -keystore ${HOSTNAME}.jks
Now, export your CSR:
$ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
Use that CSR to get your cert signed.
Now, import the signed cert back into your keystore, starting with the
root and/or intermediate cert and finishing with your server's cert:
$ keytool -import -alias [Authority.CA] -trustcacerts -file
[authority's CA cert] -keystore ${HOSTNAME}.jks
(^ if nec
Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov wrote:
> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
> wrote:
>
> The debug log produced following & it's evident that handshake is failing
> due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio--Acceptor-0, setSoTimeout(6) called
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie: GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 13,
> 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96,
> 238, 97, 6, 240, 239, 53, 188, 180, 41 }
> Session ID: {}
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_RC4_128_MD5]
> Compression Methods: { 0 }
> ***
> %% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
> %% Invalidated: [Session-13, SSL_NULL_WITH_NULL_NULL]
> http-bio--exec-2, SEND TLSv1.2 ALERT: fatal, description =
> handshake_failure
> http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
> http-bio--exec-2, called closeSocket()
>
>
>
> http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio--exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS
offers TLSv1.2 ciphers but tomcat does not support them so maybe you are
running an outdated version of Java, maybe 1.6?
There some tools out there you can use to find the default SSL/TLS cipher
suits that JVM will use (and I think I've seen one from Christopher
Schultz). The tool should provide you with output like this:
$ java Ciphers
DefaultCipher
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256
...
then pick up one of the supported default ciphers (marked with star) and
use it in IHS (as it is or translated in IHS way, no idea about that) so
you get a match. I know nothing about IHS so can't help there.
If that doesn't work then I would say IHS does some funky stuff with the
cipher suites in a way that tomcat can't understand them.
Igor
RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
wrote:
The debug log produced following & it's evident that handshake is failing
due to no ciphers suites in common.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie: GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145,
53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239,
53, 188, 180, 41 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
***
%% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio--exec-2, SEND TLSv1.2 ALERT: fatal, description =
handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()
http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio--exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException:
no cipher suites in common
There you go, no comment needed.
RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
The debug log produced following & it's evident that handshake is failing due
to no ciphers suites in common.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie: GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145, 53,
176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239, 53,
188, 180, 41 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
***
%% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio--exec-2, SEND TLSv1.2 ALERT: fatal, description =
handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()
http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio--exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio--exec-2, called close()
http-bio--exec-2, called closeInternal(true)
Thank you,
Vamsi Gali
-Original Message-
From: Gali, Vamsi A [mailto:vamsi_a_g...@keybank.com.INVALID]
Sent: Wednesday, October 11, 2017 11:18 AM
To: Tomcat Users List
Subject: RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection
I see what Igor has suggested and I will be reproducing the issue by adding
'-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS. Thank you!
Thank you,
Vamsi Gali
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Wednesday, October 11, 2017 10:44 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection
On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even record
> anything not even the access log. I tried enabling debug at tomcat but
> nothing is captured during the request initiation.
Re-read the suggestion. You need to enable the JRE provided SSL debugging, not
Tomcat debug logging.
Check your JVM docs for you to do that.
Marjk
>
> Thank you,
> Vamsi Gali
>
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A"
>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following are
> the details:
>
> Tomcat: apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with the
> following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS:
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Faile
tomcat 8.5.23 dbcp not honoring autocommit = false?
Working on a migration from 7 to 8.5, and in it I am now using the
tomcat dbcp, instead of apache commons dbcp. I have found that with no
other changes to the db code (except the factory param for the
resource), it is working fine other than there is an implicit commit
happening when I close a connection, even with autocommit turned off
in mysql config, resource config AND in my code.
Resource config :
Only thing changed in that from 7.x to 8.5.x is the factory was
org.apache.commons.dbcp.BasicDataSourceFactory. I am using Connector/J
5.1.44 (latest version).
Getting a connection boils down to this in my code (pieces pulled out
of factories and other classes)
(Support class in web code)
public static DataSource getDataSource() {
try {
return (DataSource)new
InitialContext().lookup("java:comp/env/" +
ServletContextParameters.getDatabaseResourceName());
}
catch (NamingException ex) {
throw new RuntimeException("unable to find datasource", ex);
}
}
(DAO Factory implementation)
public MySQLDAOFactoryImpl(@NotNull DataSource dataSource) {
this.dataSource = dataSource;
try {
this.dbConn = this.dataSource.getConnection();
this.dbConn.setAutoCommit(false);
this.dbConn.setTransactionIsolation(Connection.TRANSACTION_READ_COMMITTED);
}
catch (SQLException ex) {
throw new DAOException("unable to get database connection", ex);
}
}
@Override
public void close() {
try {
if (this.dbConn != null) {
this.dbConn.close();
}
}
catch (SQLException ex) {
throw new DAOException("error closing database connection", ex);
}
}
If I do
daoFactory = new MySQLDAOFactoryImpl(getDataSource());
// update #1
daoFactory.commit()
// update #2
daoFactory.close();
then update #2 is being committed.
If I put in this in the close() method of my DAO Factory
if (!this.dbConn.getAutoCommit()) {
this.dbConn.rollback();
}
before the close() call, then update #2 is correctly not getting committed.
I looked back through the recent tomcat changelogs, and found a
reference to https://bz.apache.org/bugzilla/show_bug.cgi?id=61425
under the 8.5.21 release which looks like it might be addressing this
problem. However, when I download the source for 8.5.23, there is no
org.apache.tomcat.jdbc directory so I can't dive in there.
Anyone else experienced this? Hopefully I am just missing something obvious.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enforcing server preference for cipher suites
Thanks for the response, Konstantin. If debugging the tomcat code is the only option, then I will plan to do it sometime soon as it is bit additional work for me. We just use the tomcat binaries In our application. Meanwhile, if anybody have any other suggestions, that is greatly appreciated. Sent from my iPhone > On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko > wrote: > > 2017-10-09 19:31 GMT+03:00 Harish Krishnan : >> Hi All, >> >> Need your expert input here. >> Not sure what I am doing wrong, but I cannot get this server preference >> cipher suites feature working. >> >> My setup: >> Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute) >> Latest Java 1.8 build. >> >> No matter what value I set to this attribute (true OR false OR undefined >> which is by default), I always see the Clients preference picked. >> As an example, if clients order is ABCDEF, and servers order is DEFABC, no >> matter what value I set to this useServerCipherSuitesOrder attribute, always >> the order selected is ABC... > > It should work when running on Java 8. > > Maybe try debugging > e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat > setUseServerCipherSuitesOrder() > > https://wiki.apache.org/tomcat/FAQ/Developing#Debugging > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
I see what Igor has suggested and I will be reproducing the issue by adding '-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS. Thank you! Thank you, Vamsi Gali -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, October 11, 2017 10:44 AM To: users@tomcat.apache.org Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection On 11/10/2017 14:05, Gali, Vamsi A wrote: > Igor, > > Thank you for the response! > > Since the request is failing at SSL handshake, Tomcat doesn’t even record > anything not even the access log. I tried enabling debug at tomcat but > nothing is captured during the request initiation. Re-read the suggestion. You need to enable the JRE provided SSL debugging, not Tomcat debug logging. Check your JVM docs for you to do that. Marjk > > Thank you, > Vamsi Gali > > -Original Message- > From: Igor Cicimov [mailto:icici...@gmail.com] > Sent: Wednesday, October 11, 2017 4:09 AM > To: Tomcat Users List > Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not > establish SSL proxy connection > > On 11 Oct 2017 1:50 am, "Gali, Vamsi A" > > wrote: > > Hello, > > Any help is appreciated on this issue. > > Thank you, > Vamsi Gali > > > -Original Message- > From: Gali, Vamsi A > Sent: Thursday, October 05, 2017 12:03 PM > To: 'Tomcat Users List' > Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish > SSL proxy connection > > Hello, > I just realized that I didn’t provide the environment info & following are > the details: > > Tomcat: apache-tomcat-7.0.75 > IHS: HIS v8.5.5.x > OS: RHEL > > We have IHS→mod_proxy(on IHS) → Tomcat. > I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in > use. > [error] SSL0266E: Handshake Failed, Could not establish SSL proxy > connection > > When Tomcat is accessed through webserver url, it throws ‘500’ with the > following stack on the IHS Error log: > > [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: > fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] > [debug] > proxy_util.c(2419): proxy: HTTPS: connection complete to > TOMCAT-IP:PORT > (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, > Could not establish SSL proxy connection. > [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] > [13789] > SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal > alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT > -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] > [client TOMCAT-IP] [7fa404014a60] Handshake transcript: > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] [Thu > Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu > Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 2017] > [debug] [client TOMCAT-IP] gsksslDissector_32Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]9xx > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_Opaque > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]Length: 28 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]1x 62 xx B3 1F 44 > xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]x1 91 19 08 25 xx > DC xx E1 xx 20 xx %..o.9 x > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id > [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 09:20:20 > 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx > 00 xx 00 xx 00 xx 00 xx ..V/.5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_ > rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_ > rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] compression_methods > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 01 [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00 > . > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions > [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end
Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
On 11/10/2017 14:05, Gali, Vamsi A wrote: > Igor, > > Thank you for the response! > > Since the request is failing at SSL handshake, Tomcat doesn’t even record > anything not even the access log. I tried enabling debug at tomcat but > nothing is captured during the request initiation. Re-read the suggestion. You need to enable the JRE provided SSL debugging, not Tomcat debug logging. Check your JVM docs for you to do that. Marjk > > Thank you, > Vamsi Gali > > -Original Message- > From: Igor Cicimov [mailto:icici...@gmail.com] > Sent: Wednesday, October 11, 2017 4:09 AM > To: Tomcat Users List > Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL > proxy connection > > On 11 Oct 2017 1:50 am, "Gali, Vamsi A" > wrote: > > Hello, > > Any help is appreciated on this issue. > > Thank you, > Vamsi Gali > > > -Original Message- > From: Gali, Vamsi A > Sent: Thursday, October 05, 2017 12:03 PM > To: 'Tomcat Users List' > Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL > proxy connection > > Hello, > I just realized that I didn’t provide the environment info & following are > the details: > > Tomcat: apache-tomcat-7.0.75 > IHS: HIS v8.5.5.x > OS: RHEL > > We have IHS→mod_proxy(on IHS) → Tomcat. > I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in > use. > [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection > > When Tomcat is accessed through webserver url, it throws ‘500’ with the > following stack on the IHS Error log: > > [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 > socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] > proxy_util.c(2419): proxy: HTTPS: connection complete to TOMCAT-IP:PORT > (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, > Could not establish SSL proxy connection. > [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] > SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal > alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT > -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] > [client TOMCAT-IP] [7fa404014a60] Handshake transcript: > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] [Thu > Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 2017] > [debug] [client TOMCAT-IP] gsksslDissector_32Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]9xx > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_Opaque > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]Length: 28 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]1x 62 xx B3 1F 44 > xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]x1 91 19 08 25 xx > DC xx E1 xx 20 xx %..o.9 x > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 09:20:20 > 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx > 00 xx 00 xx 00 xx 00 xx ..V/.5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_ > rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_ > rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] compression_methods > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 01 [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00 > . > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake > transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: > HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] > proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2 > > > -- > What’s done: IHS & Tomcat keystores
RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
Yes, Siva. Both IHS & Tomcat keystores are added with correct CA certs. Webserver Config: Include "rewrites.conf" SSLEnable Include "cipher.conf" Keyfile Key-File # tomcat balancer and proxy section ProxyRequests Off SSLProxyEngine on BalancerMember https://Tomcat1:https-port/app1 route=app1_01 BalancerMember https://Tomcat2:https-port/app1 route=app1_02 ProxyPassReverse /app1 balancer://app1 ProxyPass /app1 balancer://app1 stickysession=JSESSIONID|jsessionid Tomcat SSL Connector: We haven’t specified the list of ciphers for Tomcat and its set to TLS for ssl protocol. Thank you, Vamsi Gali -Original Message- From: shivashankar manukondu [mailto:sivasankar.m...@gmail.com] Sent: Wednesday, October 11, 2017 10:02 AM To: Tomcat Users List Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection Hi, Can you post the web and tomcat servers configuration files. I hope you have added CA root certificate to the backend truststore? Regards, Siva On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A < vamsi_a_g...@keybank.com.invalid> wrote: > Igor, > > Thank you for the response! > > Since the request is failing at SSL handshake, Tomcat doesn’t even > record anything not even the access log. I tried enabling debug at > tomcat but nothing is captured during the request initiation. > > Thank you, > Vamsi Gali > > -Original Message- > From: Igor Cicimov [mailto:icici...@gmail.com] > Sent: Wednesday, October 11, 2017 4:09 AM > To: Tomcat Users List > Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not > establish SSL proxy connection > > On 11 Oct 2017 1:50 am, "Gali, Vamsi A" > > wrote: > > Hello, > > Any help is appreciated on this issue. > > Thank you, > Vamsi Gali > > > -Original Message- > From: Gali, Vamsi A > Sent: Thursday, October 05, 2017 12:03 PM > To: 'Tomcat Users List' > Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish > SSL proxy connection > > Hello, > I just realized that I didn’t provide the environment info & following > are the details: > > Tomcat: apache-tomcat-7.0.75 > IHS: HIS v8.5.5.x > OS: RHEL > > We have IHS→mod_proxy(on IHS) → Tomcat. > I know that IHS isn’t the suggested webserver to use with Tomcat but > it’s in use. > [error] SSL0266E: Handshake Failed, Could not establish SSL proxy > connection > > When Tomcat is accessed through webserver url, it throws ‘500’ with > the following stack on the IHS Error log: > > [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: > fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] > [debug] > proxy_util.c(2419): proxy: HTTPS: connection complete to > TOMCAT-IP:PORT > (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake > Failed, Could not establish SSL proxy connection. > [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] > [13789] > SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent > fatal alert [level 2 (fatal), description 40 (handshake_failure)] > [TOMCAT-IP:PORT > -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] > -> [debug] > [client TOMCAT-IP] [7fa404014a60] Handshake transcript: > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu > Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_32Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]9xx > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > gsksslDissector_Opaque > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]Length: 28 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]1x 62 xx B3 1F 44 > xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]x1 91 19 08 25 xx > DC xx E1 xx 20 xx %..o.9 x > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id > [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx > 00 xx 00 xx 00 xx 00 xx ..V/.5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_ > rsa_with_aes_128_cbc_sha,tls_rsa_wi
Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
Hi, Can you post the web and tomcat servers configuration files. I hope you have added CA root certificate to the backend truststore? Regards, Siva On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A < vamsi_a_g...@keybank.com.invalid> wrote: > Igor, > > Thank you for the response! > > Since the request is failing at SSL handshake, Tomcat doesn’t even record > anything not even the access log. I tried enabling debug at tomcat but > nothing is captured during the request initiation. > > Thank you, > Vamsi Gali > > -Original Message- > From: Igor Cicimov [mailto:icici...@gmail.com] > Sent: Wednesday, October 11, 2017 4:09 AM > To: Tomcat Users List > Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish > SSL proxy connection > > On 11 Oct 2017 1:50 am, "Gali, Vamsi A" > wrote: > > Hello, > > Any help is appreciated on this issue. > > Thank you, > Vamsi Gali > > > -Original Message- > From: Gali, Vamsi A > Sent: Thursday, October 05, 2017 12:03 PM > To: 'Tomcat Users List' > Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL > proxy connection > > Hello, > I just realized that I didn’t provide the environment info & following are > the details: > > Tomcat: apache-tomcat-7.0.75 > IHS: HIS v8.5.5.x > OS: RHEL > > We have IHS→mod_proxy(on IHS) → Tomcat. > I know that IHS isn’t the suggested webserver to use with Tomcat but it’s > in use. > [error] SSL0266E: Handshake Failed, Could not establish SSL proxy > connection > > When Tomcat is accessed through webserver url, it throws ‘500’ with the > following stack on the IHS Error log: > > [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 > socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] > proxy_util.c(2419): proxy: HTTPS: connection complete to TOMCAT-IP:PORT > (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, > Could not establish SSL proxy connection. > [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] > SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal > alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT > -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] > [client TOMCAT-IP] [7fa404014a60] Handshake transcript: > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu > Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 > 2017] [debug] [client TOMCAT-IP] gsksslDissector_32Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]9xx > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > gsksslDissector_Opaque > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]Length: 28 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]1x 62 xx B3 1F 44 > xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]x1 91 19 08 25 xx > DC xx E1 xx 20 xx %..o.9 x > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx > 00 xx 00 xx 00 xx 00 xx ..V/.5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_ > rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_ > rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00 > . > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake > transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: > HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] > proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2 > > > -- > What’s done: IHS &
RE: Tomcat SSL issue
On 10/10/2017 9:45 AM, John Ellis wrote: John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Monday, October 9, 2017 4:49 PM To: Tomcat Users List Subject: Re: Tomcat SSL issue On 10/9/2017 10:01 AM, John Ellis wrote: I posted questions about this a couple of weeks ago I think it was. I have been trying to get Tomcat running on a secure port with a valid SSL certificate. We finally got version 9.0.0.M20 setup successfully on port 9443 and I can go to that IP:port and get a Tomcat webpage but when I go through all the steps using the keytool commands to submit a certificate (we use Cacert.org) and try to plug that certificate into the mix it doesn’t work. I still get an error message telling me that I will have to create an exception to go to that IP address and port. Last Friday I even deleted the certificate and all the keystore file, etc. and got the same exact error. So it appears that Tomcat is not seeing the certificate at all since I get the same error about having to add an exception whether or not I have a valid certificate in place on the server. The lines we added to the server.xml file to get the secure port working are- keystoreFile=home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk s" keystorePass=hangeit" /> John Ellis Thanks for the reply Terence. Yes I get the message about needing to create a security exception when I first try to open the Tomcat webpage on the secure port of 9443. I have deleted the certificate and supporting files off of the server as I was going to start over with a new certificate. I believe the error said something about not being able to verify the certificate. I think the main issue is that this is just an internal server here in our office running RHEL 6. It is not setup as a web server and it just has the name of "cowboy" (given that name by my boss) so it is hard to figure out what to call the "First and last name" part when I am creating the CSR to send to Cacert.org. I can't just use the name "cowboy" as I don't have any way to validate that. Have you ever run into situations like this? As I said before I am not a programmer or developer or anything like that. My background was in computer hardware for over 25 years until I took this position after being laid off from what was formerly WebMD. We installed systems in dr's offices, etc. Any light you could shed on this would be great! Thanks Hi, John- Is it a browser that's displaying the error message and requesting that you create an exception to continue? If so, have you looked at the additional information to determine what problems the browser has detected with the certificate? -Terence Bandoian http://www.tmbsw.com/ Hi, John- I would check the error message presented by the browser carefully and test with multiple browsers (e.g. Firefox, Chrome, IE, etc.). If you can copy the exact error messages to the list, someone might be able to offer more assistance. If you're able to establish an encrypted connection, I would guess that Tomcat is at least finding "something" for a certificate. And, you should be able to at least change the error message by altering your configuration. If you can't, then something is amiss in the configuration process. Was Tomcat restarted after the configuration was modified? Is Java using a default location for the keystore? Is the keystore you specify in your Tomcat configuration modified when you execute the keytool commands? Can you list the contents of the keystore? If the browser can't verify the certificate, I'd guess that either intermediate certificates aren't available or the browser doesn't trust the certificate authority or the wrong address is used to access the server from the browser. Detailed error messages would be helpful. Instructions to generate a CSR are available on the Internet. They vary though so you may have to dig to find something that works in your case. I've found it best to use the instructions provided by the certificate provider. In some cases, the prompt for first and last name is actually a request for the domain name to be secured. Also, a domain name that is at least recognized on your intranet will likely be required if you want to use a valid certificate. It's been a while since I've configured Tomcat for SSL so I'm going on memory and can't offer much additional help. There are others on the list though that probably can. Specific details, such as Tomcat version, Java version and OS version and exact configuration, commands utilized and error messages make receiving that help more likely and more likely to result in success. Hope that gets you started! -Terence - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
Igor, Thank you for the response! Since the request is failing at SSL handshake, Tomcat doesn’t even record anything not even the access log. I tried enabling debug at tomcat but nothing is captured during the request initiation. Thank you, Vamsi Gali -Original Message- From: Igor Cicimov [mailto:icici...@gmail.com] Sent: Wednesday, October 11, 2017 4:09 AM To: Tomcat Users List Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection On 11 Oct 2017 1:50 am, "Gali, Vamsi A" wrote: Hello, Any help is appreciated on this issue. Thank you, Vamsi Gali -Original Message- From: Gali, Vamsi A Sent: Thursday, October 05, 2017 12:03 PM To: 'Tomcat Users List' Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection Hello, I just realized that I didn’t provide the environment info & following are the details: Tomcat: apache-tomcat-7.0.75 IHS: HIS v8.5.5.x OS: RHEL We have IHS→mod_proxy(on IHS) → Tomcat. I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use. [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log: [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2419): proxy: HTTPS: connection complete to TOMCAT-IP:PORT (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection. [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] [7fa404014a60] Handshake transcript: [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_32Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]9xx [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_Opaque [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]Length: 28 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]1x 62 xx B3 1F 44 xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]x1 91 19 08 25 xx DC xx E1 xx 20 xx %..o.9 x [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx 00 xx 00 xx 00 xx 00 xx ..V/.5 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_ rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_ rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00 . [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2 -- What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error. Also, tried restricting both IHS & Tomcat to use TLSv1 but no success. Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module? Thank you, Vamsi Gali This communication
Basic question related to NIO connector and Async servlet processing
Hi All, I have got a basic question related to usage of Async servlet with tomcat NIO connector. I want to use Async servlet with Non Block I/O as per servlet spec https://docs.oracle.com/javaee/7/tutorial/servlets013.htm?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3BmL0Q5Y7ESTy4lpYPU%2Br77w%3D%3D Such that the http worker threads are released and the container threads won't be sitting idle for I/O operations too. I am on Tomcat 7. As i understand the default tomcat connector (BIO) is a blocking one and is on a thread per connection model. I am not clear on whether using async Non Blocking I/o in servlets won't suffice ? Won't the http worker threads be released here or will it be held for the lifetime of the connection ? NIO connector will use request per threads or allocate threads when processing is required .Will using NIO selector only release the http worker threads if it is used in conjunction with Asynchronous Non blocking I/O servlets ? Best Regards, Saurav
Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.
On 10/10/2017 1:20 AM, Peter Kreuser wrote: Christopher, A good read on the appropriate (openssl) cipher string that I use can be found here: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ Hynek explains the whys and don'ts and updates the string on a regular basis! HTH Peter Nice article. Thanks! -Terence Bandoian http://www.tmbsw.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
On 11 Oct 2017 1:50 am, "Gali, Vamsi A" wrote: Hello, Any help is appreciated on this issue. Thank you, Vamsi Gali -Original Message- From: Gali, Vamsi A Sent: Thursday, October 05, 2017 12:03 PM To: 'Tomcat Users List' Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection Hello, I just realized that I didn’t provide the environment info & following are the details: Tomcat: apache-tomcat-7.0.75 IHS: HIS v8.5.5.x OS: RHEL We have IHS→mod_proxy(on IHS) → Tomcat. I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use. [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log: [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2419): proxy: HTTPS: connection complete to TOMCAT-IP:PORT (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection. [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] [7fa404014a60] Handshake transcript: [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_32Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]9xx [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_Opaque [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]Length: 28 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]1x 62 xx B3 1F 44 xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]x1 91 19 08 25 xx DC xx E1 xx 20 xx %..o.9 x [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx 00 xx 00 xx 00 xx 00 xx ..V/.5 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_ rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_ rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00 . [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2 -- What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error. Also, tried restricting both IHS & Tomcat to use TLSv1 but no success. Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module? Thank you, Vamsi Gali This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions
