tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
Date Wed, 11 Oct 2017 14:44:00 GMT
On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record anything
not even the access log. I tried enabling debug at tomcat but nothing is captured during the
request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL
debugging, not Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -----Original Message-----
> From: Igor Cicimov [mailto:icicimov@gmail.com] 
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <vamsi_a_gali@keybank.com.invalid>
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -----Original Message-----
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are the
details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the following
stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created
to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish
SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level
2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434]
0ms [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello> [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 09:20:20 2017] [debug]
[client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] [debug]
[client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx
> DC xx E1 xx 20 xx                 ....%..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 2017] [debug]
[client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 00 09:20:20 2017] [debug]
[client  TOMCAT-IP]  00
>                                 .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript [Thu
Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> ------------------------------------------------------------
> ------------------------------------------------------------
> --------------------------
> What’s done: IHS & Tomcat keystores contain required signers for proper communication.
During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore
and vice-versa but cannot get rid of this error.
> Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
> 
> Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module?
> 
> 
> Thank you,
> Vamsi Gali
> 
> 
> This communication may contain privileged and/or confidential information.
> It is intended solely for the use of the addressee. If you are not the intended recipient,
you are strictly prohibited from disclosing, copying, distributing or using any of this information.
If you received this communication in error, please contact the sender immediately and destroy
the material in its entirety, whether electronic or hard copy. This communication may contain
nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley
Act. You may not directly or indirectly reuse or redisclose such information for any purpose
other than to provide the services for which you are receiving the information.
> 
> 127 Public Square, Cleveland, OH 44114
> If you prefer not to receive future e-mail offers for products or services from Key send
an e-mail to mailto:DNERequests@key.com with 'No Promotional E-mails'
> in the
> SUBJECT line.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> Well what does tomcat log say? You can add java debug ssl option to JAVA_OPTS in the
default tomcat config file maybe it will give you a clue.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message