Tomcat upgrade ->SSL handshake failure?

[Thomas, Steve]

Hi.  We have been running Tomcat 7.0.23 in our test environment until recently, 
then upgraded to 7.0.35.  After the upgrade, our tests started failing 
intermittently with

       <urlopen error [Errno 1] _ssl.c:503: error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure>

So some HTTPS requests would succeed and others fail, generating the above 
message.  I searched around and the following diagnosis seemed the most 
applicable among the results, but I don't think it applies, given our 
server.xml configuration:

----------

"SSL3_READ_BYTES:sslv3 alert handshake failure" and "SSL23_WRITE:ssl handshake 
failure" Errors
These errors are caused by a directive in the configuration file that requires 
mutual authentication. For example, if an SSL Certificate is sent from the 
server and then a separate SSL Certificate is sent back from the client during 
the SSL handshake, this error will occur. 
In our experience, this directive is usually included by accident. To remove 
the directive and thus fix the error, open your conf file. Change 
SSLVerifyClient or SSLVerifyClient optional_no_ca to SSLVerifyClient none, then 
restart Apache. This change will tell the Apache server to stop looking for a 
client certificate when completing the SSL handshake with a client computer. 

Another possible cause of these errors is including the line SSLVerifyDepth 1 
in the conf file. Comment out the line by adding a # to the beginning (ex. 
#SSLVerifyDepth 1). 

[http://www.digicert.com/ssl-support/apache-fix-common-ssl-errors.htm]
----------

This article was specifically addressing httpd, but the recommendation would 
seem to apply for Tomcat if using an APR connector-but we are not, as far as I 
can tell.  Here is our stripped-down server.xml configuration:

<?xml version='1.0' encoding='utf-8'?>
<Server port="9006" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener 
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener 
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener 
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">
                  
    <Connector 
                                port="9090" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25" 
maxSpareThreads="75"
                                enableLookups="false" redirectPort="9444" 
acceptCount="100"
                                connectionTimeout="20000" 
disableUploadTimeout="true" URIEncoding="UTF-8"
                                compression="on" compressionMinSize="1024" 
noCompressionUserAgents="gozilla, traviata"
                                
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
 />
                  
    <Connector 
                                port="9444" maxHttpHeaderSize="8192" 
maxThreads="150" minSpareThreads="25" 
                                maxSpareThreads="75" enableLookups="false" 
disableUploadTimeout="true" 
                                acceptCount="100" scheme="https" secure="true" 
SSLEnabled="true" 
                                clientAuth="false" sslProtocol="TLS" 
keystoreFile="webapps/OurProgram/.keystore" 
                                compression="on" compressionMinSize="1024" 
noCompressionUserAgents="gozilla, traviata" 
                                
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"/>

    <Connector port="9010" enableLookups="false" redirectPort="9444" 
protocol="AJP/1.3" />  
                
                <Connector 
                                port="9091" 
protocol="org.apache.coyote.http11.Http11NioProtocol" 
                                connectionTimeout="10000" 
tomcatAuthentication="false" keepaliveTimeout="5000" 
                                backlog="50" maxThreads="10" scheme="https" 
secure="true" SSLEnabled="true" 
                                clientAuth="false" sslProtocol="TLS" 
keystoreFile="webapps/OurProgram/.keystore" />
                                
    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.LockOutRealm">
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
      </Host>
    </Engine>
   </Service>
</Server>

Again, this is identical to our previous configuration, and as far as I know 
the only variable introduced was the upgrade to 7.0.35.  This has happened 
across multiple OS's - from Windows 2008 64-bit to RHEL5.

Could this version of Tomcat be stricter with its implementation of HTTPS, and 
that is triggering the issue?

If it isn't Tomcat--if something else must have changed--what would be the most 
likely explanation?

We would greatly appreciate any help in this matter.

Thanks and regards,

Steve T
This message is intended only for the named recipient. If you are not the 
intended recipient, you are notified that disclosing, copying, distributing or 
taking any action based on the contents of this information is strictly 
prohibited.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org