-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 5/31/19 13:50, André Warnier (tomcat) wrote: > On 31.05.2019 18:12, James H. H. Lampert wrote: >> Thanks. >> >> We think that the customer has solved the cipher problem, >> because, at least as of when I checked on Wednesday, that error >> message was no longer appearing. >> >> Yet they're still not connecting. I can *ping* >> maps.googleapis.com from their box, with no trouble whatsoever, > > That is perhaps because "ping" does not use TCP/IP, it uses > another protocol called ICMP, which is (a) connection-less and (b) > not usually blocked by firewalls. At least, this shows that the DNS > part is working correctly, and that the customer's host has a > "route" to that server. But for example, if the server (or a > firewall) blocked connections to the port which the webapp is > trying to reach, you would still get the problem below. (Or if the > server simply is not listening on that port). +1 James, what if you: $ openssl s_client -connect maps.googleapis.com:443 Do you get a connection? If so, there is some other issue with the software and we'll have to dig-in. If that does NOT connect, then it is probably a network / firewall problem. That's the same IPv6 address that I get when I do "host maps.googleapis.com" so at least you aren't having DNS intercepted or something like that. You may also need to go through an HTTP proxy to get to the outside. You might want to ask the client is they require an HTTP proxy. Hmm. Intermittent connection failures, sometimes with cipher-suite mismatches and other weird things? Maybe they are one of those companies who MitM everything and their MitM box is badly configured... or they are playing with it. I'm putting the certificate actually presented by maps.googleapis.com to a clean source below. If you can connect with "openssl s_client" then check to see that they are the same. If the company is MitM'ing, then tell them to (a) stop it and (b) fix that component to that it works properly. > But when the webapp tries to connect, it gets >>> java.net.ConnectException: Failed to connect to >>> maps.googleapis.com/2607:f8b0:4009:807:0:0:0:200a:443 >> >> And the really weird part is that none of the messages in the >> resulting stacktrace appear to refer to any of our classes, or to >> any classes that appear to have anything to do with Tomcat. >> > > This is not so weird, if that webapp (as is likely) contains its > own classes to make the connection that /it/ tries to make to the > Google server. Or, like a lot of software, using something like Apache http-client. The package name for that starts with org.apache.http and there can be miles of stack frames in their traces. (IMO http-client has become far too complicated to be of use to casual programmers. I honestly can't believe it's that complicated to make an HTTP request. Spoiler alert: it's not.) Would you be willing to post some (or all!) of the stack trace? > The problem seems to be with the webapp, and you would have more > luck trying to get information from whoever supplied that webapp. > Maybe it has some parameter to increase its log level, which may > tell you in the log the details of why it cannot establish a TCP > connection with the Google server. (Who knows, the customer server > IP may even be blacklisted by Google..) That's an interesting thought, but Google doesn't usually do that without a really good reason. - -chris FYI, Google's certificate from maps.googleapis.com - -----BEGIN CERTIFICATE----- MIIJgjCCCGqgAwIBAgIQcK7vFJuw8fXplnyGbKi9QTANBgkqhkiG9w0BAQsFADBU MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDUxNDEz MjkxM1oXDTE5MDgwNjEzMjAwMFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds ZSBMTEMxGTAXBgNVBAMMECouZ29vZ2xlYXBpcy5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC6XmMJ8cxe0oZB9J7hVKGmxaVUTDv68JPrhWeKpnd0 fXrUFGJsP9XREfdRQV+K30pwSFFfbHA/nZCvwPpsp63uuLq+NBXZ7bqylRKyafbL ThBzkv/2U8SSPQuriQAAkJOS7c+wDfx8eugSzDq1NEmbRAAvYcphszy2LLD8GpZm 2ueogwYDnojcolZ2n34nXPq6ae8BQSxJzbhirzBknNapRuos/knu3KNWq/a/LgPx SVa1yN6OcBoWWRKcVYz74mGEbVA9kwAmA2xhGd/lXHg7lotjRgBWHv1Bt+QumRFE XCPIWeFcY/eSVqcNK0RUydp5UnMpvSYd/QfQ2sZAk3pNAgMBAAGjggY4MIIGNDAT BgNVHSUEDDAKBggrBgEFBQcDATCCBQ0GA1UdEQSCBQQwggUAghAqLmdvb2dsZWFw aXMuY29tghQqLmNsaWVudHM2Lmdvb2dsZS5hZYIUKi5jbGllbnRzNi5nb29nbGUu YXSCFCouY2xpZW50czYuZ29vZ2xlLmJlghQqLmNsaWVudHM2Lmdvb2dsZS5jYYIU Ki5jbGllbnRzNi5nb29nbGUuY2iCFCouY2xpZW50czYuZ29vZ2xlLmNsghcqLmNs aWVudHM2Lmdvb2dsZS5jby5pZIIXKi5jbGllbnRzNi5nb29nbGUuY28uaWyCFyou Y2xpZW50czYuZ29vZ2xlLmNvLmlughcqLmNsaWVudHM2Lmdvb2dsZS5jby5qcIIX Ki5jbGllbnRzNi5nb29nbGUuY28ua3KCFyouY2xpZW50czYuZ29vZ2xlLmNvLm56 ghcqLmNsaWVudHM2Lmdvb2dsZS5jby51a4IXKi5jbGllbnRzNi5nb29nbGUuY28u dmWCFyouY2xpZW50czYuZ29vZ2xlLmNvLnphghUqLmNsaWVudHM2Lmdvb2dsZS5j b22CGCouY2xpZW50czYuZ29vZ2xlLmNvbS5hcoIYKi5jbGllbnRzNi5nb29nbGUu Y29tLmF1ghgqLmNsaWVudHM2Lmdvb2dsZS5jb20uYnKCGCouY2xpZW50czYuZ29v Z2xlLmNvbS5jb4IYKi5jbGllbnRzNi5nb29nbGUuY29tLmVnghgqLmNsaWVudHM2 Lmdvb2dsZS5jb20ua3eCGCouY2xpZW50czYuZ29vZ2xlLmNvbS5teIIYKi5jbGll bnRzNi5nb29nbGUuY29tLm9tghgqLmNsaWVudHM2Lmdvb2dsZS5jb20ucGWCGCou Y2xpZW50czYuZ29vZ2xlLmNvbS5waIIYKi5jbGllbnRzNi5nb29nbGUuY29tLnFh ghgqLmNsaWVudHM2Lmdvb2dsZS5jb20uc2GCGCouY2xpZW50czYuZ29vZ2xlLmNv bS5zZ4IYKi5jbGllbnRzNi5nb29nbGUuY29tLnRyghgqLmNsaWVudHM2Lmdvb2ds ZS5jb20udHeCGCouY2xpZW50czYuZ29vZ2xlLmNvbS51YYIYKi5jbGllbnRzNi5n b29nbGUuY29tLnZughQqLmNsaWVudHM2Lmdvb2dsZS5jeoIUKi5jbGllbnRzNi5n b29nbGUuZGWCFCouY2xpZW50czYuZ29vZ2xlLmRrghQqLmNsaWVudHM2Lmdvb2ds ZS5lc4IUKi5jbGllbnRzNi5nb29nbGUuZmmCFCouY2xpZW50czYuZ29vZ2xlLmZy ghQqLmNsaWVudHM2Lmdvb2dsZS5pZYIUKi5jbGllbnRzNi5nb29nbGUuaXOCFCou Y2xpZW50czYuZ29vZ2xlLml0ghQqLmNsaWVudHM2Lmdvb2dsZS5qcIIUKi5jbGll bnRzNi5nb29nbGUubmyCFCouY2xpZW50czYuZ29vZ2xlLm5vghQqLmNsaWVudHM2 Lmdvb2dsZS5wbIIUKi5jbGllbnRzNi5nb29nbGUucHSCFCouY2xpZW50czYuZ29v Z2xlLnJvghQqLmNsaWVudHM2Lmdvb2dsZS5ydYIUKi5jbGllbnRzNi5nb29nbGUu c2WCGCouY2xvdWRlbmRwb2ludHNhcGlzLmNvbYIWY2xvdWRlbmRwb2ludHNhcGlz LmNvbYIOZ29vZ2xlYXBpcy5jb20waAYIKwYBBQUHAQEEXDBaMC0GCCsGAQUFBzAC hiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFNHSUFHMy5jcnQwKQYIKwYBBQUHMAGG HWh0dHA6Ly9vY3NwLnBraS5nb29nL0dUU0dJQUczMB0GA1UdDgQWBBRxYcRmw0SF vmev8mHK0IMW61SDjTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFHfCuFCaZ3Z2 sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFAzAIBgZngQwBAgIw MQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5wa2kuZ29vZy9HVFNHSUFHMy5j cmwwDQYJKoZIhvcNAQELBQADggEBADFtwqRJHYeFt+B/7uOBke7lBTW1GDgNIaeY CbawFVNeSOWjlCAn0oloHc07PTfyMs9VAQOTCKAZYnpSDhPubrzIGJJUyZN1tmI8 TKD0p7PpGmeRfw/QRvg5Hh5wEMM3syivNB3u3/iNIPBRpjdL8iFdv4Yd9qonW4hn LZCIG6SMw+B5Pq7A7EV52+2xmKEtRspNiMAbSkDwWSmfxTVRdY6CH7/Jn6ORg/Nt YWyNTQvMmQ7GisyfqRj81PVHDTxkNlaB7h/DvdYKN+I+xDpC+g+YdeClT6xUTnEK tzah3TCyR7OLwb3R2B86xrqcjbed1bov+MCMvUUXt3k+q0z1430= - -----END CERTIFICATE----- -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzxlYQACgkQHPApP6U8 pFiO0A//Z/5+Rk3Sm8Lo1BtGx02qFxOZkNWH0J9GZavTIlQ52hcAgwoP2EWAYYBV BYaYSqZa6KmZv6XIuz+naf/L4/bdeTLuoV5qL8dWtaHvERyhoz3hpbHyAjxCKgnx 4L0xktkEpQSufkRIVN1vX0tLLMyhCYWPYlf4KnHqZZVGxZ5RB0LUoLviyqockHUv PYajQZHmR2YmY8P6zoK0e1s30piwhLhDT3ss/uM/Vq5hQAepDk8K/vn9zNVaazvl GDRINYLXTqruU1847SEqH8bk9d69UW8Qt6ufJ8qnsMEYnNxuOiGaXakeYw1hJ6TW Eg7/QZl6y1i7eDMqxgCXI89lgGeYR/peskt4Q8nLxbcCyOgAVexjBqpvYuogqzl2 O2MQmCAxwCbald+l/gRNPiXXSIwAl01NuY29xxaT+y1lMa+KoD+UPXHbFk+60Yfx G5wKNL+GhIDMWR8GOP2/7Lq+XdxngtEhzUij2nmJvK5sh1HSeesusYnaorN3g1Gv LyBMdOOUb8xz+/dUpZD6Bq71X+nrS6wulr2Ulbw2Si4Vfu9Z2CSxOOQY9ggq2b8b O5B1vbXqWAUEPTOKx98qxGW6E2+zjjtip4yYL834zrao+RRsVkKca79vgTRwpcN8 E+ad+BwB5j/ZynkPQDRHh76/TsxetWAXScQJq1/5gaY3z23SDmk= =uLTj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org