Hi. We have been running Tomcat 7.0.23 in our test environment until recently,
then upgraded to 7.0.35. After the upgrade, our tests started failing
intermittently with
<urlopen error [Errno 1] _ssl.c:503: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure>
So some HTTPS requests would succeed and others fail, generating the above
message. I searched around and the following diagnosis seemed the most
applicable among the results, but I don't think it applies, given our
server.xml configuration:
----------
"SSL3_READ_BYTES:sslv3 alert handshake failure" and "SSL23_WRITE:ssl handshake
failure" Errors
These errors are caused by a directive in the configuration file that requires
mutual authentication. For example, if an SSL Certificate is sent from the
server and then a separate SSL Certificate is sent back from the client during
the SSL handshake, this error will occur.
In our experience, this directive is usually included by accident. To remove
the directive and thus fix the error, open your conf file. Change
SSLVerifyClient or SSLVerifyClient optional_no_ca to SSLVerifyClient none, then
restart Apache. This change will tell the Apache server to stop looking for a
client certificate when completing the SSL handshake with a client computer.
Another possible cause of these errors is including the line SSLVerifyDepth 1
in the conf file. Comment out the line by adding a # to the beginning (ex.
#SSLVerifyDepth 1).
[http://www.digicert.com/ssl-support/apache-fix-common-ssl-errors.htm]
----------
This article was specifically addressing httpd, but the recommendation would
seem to apply for Tomcat if using an APR connector-but we are not, as far as I
can tell. Here is our stripped-down server.xml configuration:
<?xml version='1.0' encoding='utf-8'?>
<Server port="9006" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector
port="9090" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" redirectPort="9444"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true" URIEncoding="UTF-8"
compression="on" compressionMinSize="1024"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
/>
<Connector
port="9444" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="webapps/OurProgram/.keystore"
compression="on" compressionMinSize="1024"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"/>
<Connector port="9010" enableLookups="false" redirectPort="9444"
protocol="AJP/1.3" />
<Connector
port="9091"
protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="10000"
tomcatAuthentication="false" keepaliveTimeout="5000"
backlog="50" maxThreads="10" scheme="https"
secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="webapps/OurProgram/.keystore" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
</Host>
</Engine>
</Service>
</Server>
Again, this is identical to our previous configuration, and as far as I know
the only variable introduced was the upgrade to 7.0.35. This has happened
across multiple OS's - from Windows 2008 64-bit to RHEL5.
Could this version of Tomcat be stricter with its implementation of HTTPS, and
that is triggering the issue?
If it isn't Tomcat--if something else must have changed--what would be the most
likely explanation?
We would greatly appreciate any help in this matter.
Thanks and regards,
Steve T
This message is intended only for the named recipient. If you are not the
intended recipient, you are notified that disclosing, copying, distributing or
taking any action based on the contents of this information is strictly
prohibited.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
