tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
Date Fri, 13 Oct 2017 02:37:42 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Vamsi,

On 10/12/17 11:06 AM, Gali, Vamsi A wrote:
> This issue is now RESOLVED.

Great.

> On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only
> had 2 TLS ciphers that are no compatible with Tomcat TLV1.2. So I
> added '' TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf
> by looking at this:
> https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.we
bsphere.ihs.doc/ihs/rihs_ciphspec.html
> and IHS can communicate with Tomcat W/O any issues. Woohoo!
> 
> The reason I picked the above cipher is because it's one the list
> of ciphers tomcat's JVM supports.

I would recommend that you configure IHS to support *multiple* cipher
suites instead of just the one. I would also recommend using GCM mode
instead of CBC mode if you can do so.

> Igor, I couldn’t use one of the java based cipher tool so used a 
> small script to get a list of ciphers available for a jvm(this can
> be used for any Linux server as long as openssl is available):> 
> #!/bin/sh for v in tls1_2; do for c in $(openssl ciphers
> 'ALL:eNULL' | tr ':' ' '); do openssl s_client -connect
> SERVERNAME:https_port \ -cipher $c -$v < /dev/null > /dev/null 2>&1
> && echo -e "$v:\t$c" done done

The output of the above command has absolutely nothing to do with the
cipher suites Java supports. In order to determine what Java supports,
you must use a Java-based tool.

(Unless you are using APR, but you are clearly using Java BIO.)

> I executed above script to find out a list of ciphers on Tomcat's 
> jvm and based on that I chose to use 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.> I appreciate all the
> help on finding me the true issue!

Glad you got it done but it's clear there is still some confusion.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngJvYACgkQHPApP6U8
pFgqwBAAngdJEPfKu44DfOrRdfnkjNRNRh8J+xfwEgAwJh+esusDUL/vKyXPffpQ
8HcjkYAq6dWLdEaHSZMYksrK78UrelBLWfdss8WTfDwT82/1lSY1/CpAaO+yK8WF
VStRmOdBqHDVdumbAUGZthcvhN5JnIQwril9JfAyofs08VnjhZ4CbSfcKYdKXyIP
0ELbdq8e/4M8cOZcq+99wPFt+V7D037LsHXbd3aPGAk26AFzlEl5uqX4lzsa/k+Q
uaO81P4nX5F+3Y2WuE6gfBlRi3xUplW1yQZ73K+Wg3rS7Tgd3b4+V2eKP9GyEuoD
zFE8OtfgcjCDv8nlpJKQOQU745VDaFC4y+cteiImhRHgD7OgnXregDxiuaz8RVyB
mvIzMbkevySchrWhI/yB5DMmPs33RfyBKsPxOkdhpdQEFQ7HvqKjsFIikcVSS6Um
yjMky8JouWZzBLr9FZ+KYjTSZWtxXA1xQiseBS08aWdyUh09NTpBJfE8pn6FBExq
8LxHeKBWCyW3ZNbbKp9cT/thQ4axYbFxhWtJr4UdDM6GYcBVmt1VVarWGfEd8dui
PehjgnrkuQF7mCXRWR54mYZp+k28xr1336UTj0OTgUxoyoqpwDoSYfKNn3Bt+/53
otZ8gRFYS0ynWStnQDc4WU9AYXLAPoKdfZUZxdnUYEbAUhlcWOM=
=Jsf+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message