tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
Date Thu, 12 Oct 2017 14:04:37 GMT
On 12.10.2017 15:33, Gali, Vamsi A wrote:
> :)
> IHS is IBM HTTP Server.
>
> Thank you,

Thank you too. I feel a lot less like a dummy now.
And after reading a bit on "IHS" now, it would seem that this is at least 90% Apache httpd

2.2, which may make it clearer to other people that maybe they could help too.

>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
> Sent: Thursday, October 12, 2017 9:32 AM
> To: users@tomcat.apache.org
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
>
> And for the rest of us dummies trying to follow this conversation, what might "IHS" be
?
> Whatever Google returns doesn't seem really relevant.
>
> On 12.10.2017 15:25, Gali, Vamsi A wrote:
>> Igor,
>> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which
by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there is a cipher
mismatch. We have Tam directly connecting to Tomcat and the connectivity works w/o any SSL
handshake errors. Hence, I'm suspecting IHS and will be trying by adding same tls1.2 ciphers
that Tomcat/java supports.
>>
>> Thank you,
>> Vamsi Gali
>>
>>
>> -----Original Message-----
>> From: Igor Cicimov [mailto:icicimov@gmail.com]
>> Sent: Wednesday, October 11, 2017 7:33 PM
>> To: Tomcat Users List
>> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
>> establish SSL proxy connection
>>
>> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icicimov@gmail.com> wrote:
>>
>>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>>> <vamsi_a_gali@keybank.com.invalid>
>>> wrote:
>>>
>>> The debug log produced following & it's evident that handshake is
>>> failing due to no ciphers suites in common.
>>>
>>> Allow unsafe renegotiation: false
>>> Allow legacy hello messages: true
>>> Is initial handshake: true
>>> Is secure renegotiation: false
>>> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring
>>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
>>> *** ClientHello, TLSv1.2
>>> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95,
>>> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214,
>>> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {}
>>> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
>>> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
>>> ***
>>> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
>>> TLSv1.2 ALERT:  fatal, description = handshake_failure
>>> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
>>> http-bio-xxxx-exec-2, called closeSocket()
>>>
>>>
>>>
>>> http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
>>> no cipher suites in common
>>> http-bio-xxxx-exec-2, IOException in getSession():
>>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>>
>>>
>>> There you go, no comment needed.
>>>
>>> Also, since you are using JSSE in your tomcat connector, you never
>> mentioned the Java version you are using? From the logs looks like IHS offers TLSv1.2
ciphers but tomcat does not support them so maybe you are running an outdated version of Java,
maybe 1.6?
>>
>> There some tools out there you can use to find the default SSL/TLS cipher suits that
JVM will use (and I think I've seen one from Christopher Schultz). The tool should provide
you with output like this:
>>
>> $ java Ciphers
>> Default    Cipher
>>        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>>        SSL_DHE_DSS_WITH_DES_CBC_SHA
>>        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>        SSL_DHE_RSA_WITH_DES_CBC_SHA
>>        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>>        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>>        SSL_DH_anon_WITH_DES_CBC_SHA
>>        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_RSA_WITH_3DES_EDE_CBC_SHA
>>        SSL_RSA_WITH_DES_CBC_SHA
>>        SSL_RSA_WITH_NULL_MD5
>>        SSL_RSA_WITH_NULL_SHA
>> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
>> *    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
>> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> *    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>        TLS_DH_anon_WITH_AES_128_CBC_SHA
>>        TLS_DH_anon_WITH_AES_128_CBC_SHA256
>>        TLS_DH_anon_WITH_AES_128_GCM_SHA256
>> ...
>>
>> then pick up one of the supported default ciphers (marked with star) and use it in
IHS (as it is or translated in IHS way, no idea about that) so you get a match. I know nothing
about IHS so can't help there.
>>
>> If that doesn't work then I would say IHS does some funky stuff with the cipher suites
in a way that tomcat can't understand them.
>>
>> Igor
>>
>>
>> This communication may contain privileged and/or confidential information. It is
intended solely for the use of the addressee. If you are not the intended recipient, you are
strictly prohibited from disclosing, copying, distributing or using any of this information.
If you received this communication in error, please contact the sender immediately and destroy
the material in its entirety, whether electronic or hard copy. This communication may contain
nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley
Act. You may not directly or indirectly reuse or redisclose such information for any purpose
other than to provide the services for which you are receiving the information.
>>
>> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
>> future e-mail offers for products or services from Key send an e-mail
>> to mailto:DNERequests@key.com with 'No Promotional E-mails' in the
>> SUBJECT line.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message