Re: [OT] Tomcat 9.0.83 - SSL handshake stops working for Google API calls after a while
Marcos, On 4/11/24 09:52, Marcos Peña wrote: Thanks for your replies. My bad assuming the connector configuration applied to all connections but it makes total sense that applies to incoming connections. That helps a lot. I have been trying to solve this problem for several days and I was a bit desperate. I could not find anything in the application code that would change it at runtime...up to a few minutes ago. I think there is a SSLSocketFactory that is changing the ciphers at runtime. That's exactly the kind of thing I would expect to discover given your description of the symptoms. -chris On Thu, Apr 11, 2024 at 2:25 PM Christopher Schultz < ch...@christopherschultz.net> wrote: Marcos, Marking as "off topic" because this is not Tomcat-related. Please see below... On 4/11/24 08:28, Marcos Peña wrote: Hi, I am looking for help with a strange issue we are experiencing when trying to use Google APIs from a web application that is deployed on Tomcat 9.0.83. After a few hours of the server being up and running, all calls to the Google APIs fail because of SSL handshake errors. Attaching the SSL logs for your reference. I see some differences in the ClientHello message. When the handshake fails, all TLSv1.3 ciphers are ignored, there is no "session id" and TLSv1.2 is sent as the only supported version. The Tomcat connector configuration is as follows: ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256"/> This configuration is only relevant for INCOMING connections. It has no bearing on your outgoing HTTP / TLS connections. I updated Tomcat to use the most recent native library - 2.0.7 - but that did not help. Below an extract from the server log. Your use (or not) of tcnative is only relevant for incoming connections. Without significant work, your outgoing connections will not be using tcnative for any TLS communications. 2024-04-11 02:12:47,507 INFO [org.apache.catalina.core.AprLifecycleListener:134] (main) Loaded Apache Tomcat Native library [2.0.7] using APR version [1.7.4]. 2024-04-11 02:12:47,507 INFO [org.apache.catalina.core.AprLifecycleListener:134] (main) APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true]. 2024-04-11 02:12:47,507 INFO [org.apache.catalina.core.AprLifecycleListener:134] (main) APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 2024-04-11 02:12:47,514 INFO [org.apache.catalina.core.AprLifecycleListener:370] (main) OpenSSL successfully initialized [OpenSSL 3.0.13 30 Jan 2024] I am not very familiar with the SSL handshake process and do not really understand what can make it stop working. My guess is that your /outbound/ HTTP connection manager is having its configuration changed at runtime. You will have to look at how your application establishes these outbound connections to determine why the rules are changing. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat 9.0.83 - SSL handshake stops working for Google API calls after a while
Thanks for your replies.
My bad assuming the connector configuration applied to all connections but
it makes total sense that applies to incoming connections. That helps a lot.
I have been trying to solve this problem for several days and I was a bit
desperate. I could not find anything in the application code that would
change it at runtime...up to a few minutes ago. I think there is a
SSLSocketFactory that is changing the ciphers at runtime.
Regards,
Marcos
On Thu, Apr 11, 2024 at 2:25 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Marcos,
>
> Marking as "off topic" because this is not Tomcat-related. Please see
> below...
>
> On 4/11/24 08:28, Marcos Peña wrote:
> > Hi,
> >
> > I am looking for help with a strange issue we are experiencing when
> > trying to use Google APIs from a web application that is deployed on
> > Tomcat 9.0.83.
> >
> > After a few hours of the server being up and running, all calls to the
> > Google APIs fail because of SSL handshake errors. Attaching the SSL logs
> > for your reference.
> >
> > I see some differences in the ClientHello message. When the handshake
> > fails, all TLSv1.3 ciphers are ignored, there is no "session id" and
> > TLSv1.2 is sent as the only supported version.
> >
> > The Tomcat connector configuration is as follows:
> > > protocol="com.precisionsoftware.tomcat.Http11Nio2Protocol"
> > proxyPort="443" SSLEnabled="true"
> > connectionTimeout="6"
> > maxThreads="300"
> > minSpareThreads="50"
> > acceptCount="250"
> > maxKeepAliveRequests="1"
> > maxPostSize="-1"
> > relaxedQueryChars='[]|{}^'
> > enableLookups="true"
> > disableUploadTimeout="true"
> > URIEncoding="UTF-8"
> > compression="force"
> > scheme="https"
> > secure="true"
> > clientAuth="false"
> > sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1.2+TLSv1.3"
> > keyAlias="1"
> > keystoreFile="../wildcard_odqad.pfx"
> > keystorePass="thepassword"
> >
> >
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256"/>
>
> This configuration is only relevant for INCOMING connections. It has no
> bearing on your outgoing HTTP / TLS connections.
>
> > I updated Tomcat to use the most recent native library - 2.0.7 - but
> > that did not help. Below an extract from the server log.
>
> Your use (or not) of tcnative is only relevant for incoming connections.
> Without significant work, your outgoing connections will not be using
> tcnative for any TLS communications.
>
> > 2024-04-11 02:12:47,507 INFO
> > [org.apache.catalina.core.AprLifecycleListener:134] (main) Loaded
> > Apache Tomcat Native library [2.0.7] using APR version [1.7.4].
> > 2024-04-11 02:12:47,507 INFO
> > [org.apache.catalina.core.AprLifecycleListener:134] (main) APR
> > capabilities: IPv6 [true], sendfile [true], accept filters [false],
> > random [true], UDS [true].
> > 2024-04-11 02:12:47,507 INFO
> > [org.apache.catalina.core.AprLifecycleListener:134] (main) APR/OpenSSL
> > configuration: useAprConnector [false], useOpenSSL [true]
> > 2024-04-11 02:12:47,514 INFO
> > [org.apache.catalina.core.AprLifecycleListener:370] (main) OpenSSL
> > successfully initialized [OpenSSL 3.0.13 30 Jan 2024]
> >
> > I am not very familiar with the SSL handshake process and do not really
> > understand what can make it stop working.
>
> My guess is that your /outbound/ HTTP connection manager is having its
> configuration changed at runtime. You will have to look at how your
> application establishes these outbound connections to determine why the
> rules are changing.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: [OT] Tomcat 9.0.83 - SSL handshake stops working for Google API calls after a while
> On Apr 11, 2024, at 07:28, Marcos Peña wrote: > > I am looking for help with a strange issue we are experiencing when trying to > use Google APIs from a web application that is deployed on Tomcat 9.0.83. As Chris noted, this has nothing to do with Tomcat. The stack trace shows that the failure is coming from your application code: com.precisionsoftware.trax.service.translation.Transliterator > After a few hours of the server being up and running, all calls to the Google > APIs fail because of SSL handshake errors. My quite limited experience with Google APIs (using rclone) shows that the client access token has to be renewed fairly frequently (rclone does this automatically). I don’t know if the token is used as part of the TLS handshake, nor if your code is refreshing the token when needed. > The Tomcat connector configuration is as follows: > protocol="com.precisionsoftware.tomcat.Http11Nio2Protocol" proxyPort="443" > SSLEnabled="true" Unrelated to your problem, but that protocol class setting seems very odd; have you copied the Tomcat class into your own package? - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat 9.0.83 - SSL handshake stops working for Google API calls after a while
Marcos,
Marking as "off topic" because this is not Tomcat-related. Please see
below...
On 4/11/24 08:28, Marcos Peña wrote:
Hi,
I am looking for help with a strange issue we are experiencing when
trying to use Google APIs from a web application that is deployed on
Tomcat 9.0.83.
After a few hours of the server being up and running, all calls to the
Google APIs fail because of SSL handshake errors. Attaching the SSL logs
for your reference.
I see some differences in the ClientHello message. When the handshake
fails, all TLSv1.3 ciphers are ignored, there is no "session id" and
TLSv1.2 is sent as the only supported version.
The Tomcat connector configuration is as follows:
protocol="com.precisionsoftware.tomcat.Http11Nio2Protocol"
proxyPort="443" SSLEnabled="true"
connectionTimeout="6"
maxThreads="300"
minSpareThreads="50"
acceptCount="250"
maxKeepAliveRequests="1"
maxPostSize="-1"
relaxedQueryChars='[]|{}^'
enableLookups="true"
disableUploadTimeout="true"
URIEncoding="UTF-8"
compression="force"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.3"
keyAlias="1"
keystoreFile="../wildcard_odqad.pfx"
keystorePass="thepassword"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256"/>
This configuration is only relevant for INCOMING connections. It has no
bearing on your outgoing HTTP / TLS connections.
I updated Tomcat to use the most recent native library - 2.0.7 - but
that did not help. Below an extract from the server log.
Your use (or not) of tcnative is only relevant for incoming connections.
Without significant work, your outgoing connections will not be using
tcnative for any TLS communications.
2024-04-11 02:12:47,507 INFO
[org.apache.catalina.core.AprLifecycleListener:134] (main) Loaded
Apache Tomcat Native library [2.0.7] using APR version [1.7.4].
2024-04-11 02:12:47,507 INFO
[org.apache.catalina.core.AprLifecycleListener:134] (main) APR
capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true], UDS [true].
2024-04-11 02:12:47,507 INFO
[org.apache.catalina.core.AprLifecycleListener:134] (main) APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
2024-04-11 02:12:47,514 INFO
[org.apache.catalina.core.AprLifecycleListener:370] (main) OpenSSL
successfully initialized [OpenSSL 3.0.13 30 Jan 2024]
I am not very familiar with the SSL handshake process and do not really
understand what can make it stop working.
My guess is that your /outbound/ HTTP connection manager is having its
configuration changed at runtime. You will have to look at how your
application establishes these outbound connections to determine why the
rules are changing.
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
