tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: AW: Outbound SSL?
Date Fri, 31 May 2019 20:58:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 5/31/19 13:50, André Warnier (tomcat) wrote:
> On 31.05.2019 18:12, James H. H. Lampert wrote:
>> Thanks.
>> 
>> We think that the customer has solved the cipher problem,
>> because, at least as of when I checked on Wednesday, that error
>> message was no longer appearing.
>> 
>> Yet they're still not connecting. I can *ping*
>> maps.googleapis.com from their box, with no trouble whatsoever,
> 
> That is perhaps because "ping" does not use TCP/IP, it uses
> another protocol called ICMP, which is (a) connection-less and (b)
> not usually blocked by firewalls. At least, this shows that the DNS
> part is working correctly, and that the customer's host has a
> "route" to that server. But for example, if the server (or a
> firewall) blocked connections to the port which the webapp is
> trying to reach, you would still get the problem below. (Or if the
> server simply is not listening on that port).

+1

James, what if you:

$ openssl s_client -connect maps.googleapis.com:443

Do you get a connection? If so, there is some other issue with the
software and we'll have to dig-in. If that does NOT connect, then it
is probably a network / firewall problem.

That's the same IPv6 address that I get when I do "host
maps.googleapis.com" so at least you aren't having DNS intercepted or
something like that.

You may also need to go through an HTTP proxy to get to the outside.
You might want to ask the client is they require an HTTP proxy.

Hmm. Intermittent connection failures, sometimes with cipher-suite
mismatches and other weird things? Maybe they are one of those
companies who MitM everything and their MitM box is badly
configured... or they are playing with it.

I'm putting the certificate actually presented by maps.googleapis.com
to a clean source below. If you can connect with "openssl s_client"
then check to see that they are the same. If the company is MitM'ing,
then tell them to (a) stop it and (b) fix that component to that it
works properly.

> But when the webapp tries to connect, it gets
>>> java.net.ConnectException: Failed to connect to 
>>> maps.googleapis.com/2607:f8b0:4009:807:0:0:0:200a:443
>> 
>> And the really weird part is that none of the messages in the 
>> resulting stacktrace appear to refer to any of our classes, or to
>> any classes that appear to have anything to do with Tomcat.
>> 
> 
> This is not so weird, if that webapp (as is likely) contains its
> own classes to make the connection that /it/ tries to make to the
> Google server.

Or, like a lot of software, using something like Apache http-client.
The package name for that starts with org.apache.http and there can be
miles of stack frames in their traces. (IMO http-client has become far
too complicated to be of use to casual programmers. I honestly can't
believe it's that complicated to make an HTTP request. Spoiler alert:
it's not.)

Would you be willing to post some (or all!) of the stack trace?

> The problem seems to be with the webapp, and you would have more
> luck trying to get information from whoever supplied that webapp.
> Maybe it has some parameter to increase its log level, which may
> tell you in the log the details of why it cannot establish a TCP
> connection with the Google server. (Who knows, the customer server
> IP may even be blacklisted by Google..)

That's an interesting thought, but Google doesn't usually do that
without a really good reason.

- -chris

FYI, Google's certificate from maps.googleapis.com

- -----BEGIN CERTIFICATE-----
MIIJgjCCCGqgAwIBAgIQcK7vFJuw8fXplnyGbKi9QTANBgkqhkiG9w0BAQsFADBU
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw
IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDUxNDEz
MjkxM1oXDTE5MDgwNjEzMjAwMFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds
ZSBMTEMxGTAXBgNVBAMMECouZ29vZ2xlYXBpcy5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC6XmMJ8cxe0oZB9J7hVKGmxaVUTDv68JPrhWeKpnd0
fXrUFGJsP9XREfdRQV+K30pwSFFfbHA/nZCvwPpsp63uuLq+NBXZ7bqylRKyafbL
ThBzkv/2U8SSPQuriQAAkJOS7c+wDfx8eugSzDq1NEmbRAAvYcphszy2LLD8GpZm
2ueogwYDnojcolZ2n34nXPq6ae8BQSxJzbhirzBknNapRuos/knu3KNWq/a/LgPx
SVa1yN6OcBoWWRKcVYz74mGEbVA9kwAmA2xhGd/lXHg7lotjRgBWHv1Bt+QumRFE
XCPIWeFcY/eSVqcNK0RUydp5UnMpvSYd/QfQ2sZAk3pNAgMBAAGjggY4MIIGNDAT
BgNVHSUEDDAKBggrBgEFBQcDATCCBQ0GA1UdEQSCBQQwggUAghAqLmdvb2dsZWFw
aXMuY29tghQqLmNsaWVudHM2Lmdvb2dsZS5hZYIUKi5jbGllbnRzNi5nb29nbGUu
YXSCFCouY2xpZW50czYuZ29vZ2xlLmJlghQqLmNsaWVudHM2Lmdvb2dsZS5jYYIU
Ki5jbGllbnRzNi5nb29nbGUuY2iCFCouY2xpZW50czYuZ29vZ2xlLmNsghcqLmNs
aWVudHM2Lmdvb2dsZS5jby5pZIIXKi5jbGllbnRzNi5nb29nbGUuY28uaWyCFyou
Y2xpZW50czYuZ29vZ2xlLmNvLmlughcqLmNsaWVudHM2Lmdvb2dsZS5jby5qcIIX
Ki5jbGllbnRzNi5nb29nbGUuY28ua3KCFyouY2xpZW50czYuZ29vZ2xlLmNvLm56
ghcqLmNsaWVudHM2Lmdvb2dsZS5jby51a4IXKi5jbGllbnRzNi5nb29nbGUuY28u
dmWCFyouY2xpZW50czYuZ29vZ2xlLmNvLnphghUqLmNsaWVudHM2Lmdvb2dsZS5j
b22CGCouY2xpZW50czYuZ29vZ2xlLmNvbS5hcoIYKi5jbGllbnRzNi5nb29nbGUu
Y29tLmF1ghgqLmNsaWVudHM2Lmdvb2dsZS5jb20uYnKCGCouY2xpZW50czYuZ29v
Z2xlLmNvbS5jb4IYKi5jbGllbnRzNi5nb29nbGUuY29tLmVnghgqLmNsaWVudHM2
Lmdvb2dsZS5jb20ua3eCGCouY2xpZW50czYuZ29vZ2xlLmNvbS5teIIYKi5jbGll
bnRzNi5nb29nbGUuY29tLm9tghgqLmNsaWVudHM2Lmdvb2dsZS5jb20ucGWCGCou
Y2xpZW50czYuZ29vZ2xlLmNvbS5waIIYKi5jbGllbnRzNi5nb29nbGUuY29tLnFh
ghgqLmNsaWVudHM2Lmdvb2dsZS5jb20uc2GCGCouY2xpZW50czYuZ29vZ2xlLmNv
bS5zZ4IYKi5jbGllbnRzNi5nb29nbGUuY29tLnRyghgqLmNsaWVudHM2Lmdvb2ds
ZS5jb20udHeCGCouY2xpZW50czYuZ29vZ2xlLmNvbS51YYIYKi5jbGllbnRzNi5n
b29nbGUuY29tLnZughQqLmNsaWVudHM2Lmdvb2dsZS5jeoIUKi5jbGllbnRzNi5n
b29nbGUuZGWCFCouY2xpZW50czYuZ29vZ2xlLmRrghQqLmNsaWVudHM2Lmdvb2ds
ZS5lc4IUKi5jbGllbnRzNi5nb29nbGUuZmmCFCouY2xpZW50czYuZ29vZ2xlLmZy
ghQqLmNsaWVudHM2Lmdvb2dsZS5pZYIUKi5jbGllbnRzNi5nb29nbGUuaXOCFCou
Y2xpZW50czYuZ29vZ2xlLml0ghQqLmNsaWVudHM2Lmdvb2dsZS5qcIIUKi5jbGll
bnRzNi5nb29nbGUubmyCFCouY2xpZW50czYuZ29vZ2xlLm5vghQqLmNsaWVudHM2
Lmdvb2dsZS5wbIIUKi5jbGllbnRzNi5nb29nbGUucHSCFCouY2xpZW50czYuZ29v
Z2xlLnJvghQqLmNsaWVudHM2Lmdvb2dsZS5ydYIUKi5jbGllbnRzNi5nb29nbGUu
c2WCGCouY2xvdWRlbmRwb2ludHNhcGlzLmNvbYIWY2xvdWRlbmRwb2ludHNhcGlz
LmNvbYIOZ29vZ2xlYXBpcy5jb20waAYIKwYBBQUHAQEEXDBaMC0GCCsGAQUFBzAC
hiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFNHSUFHMy5jcnQwKQYIKwYBBQUHMAGG
HWh0dHA6Ly9vY3NwLnBraS5nb29nL0dUU0dJQUczMB0GA1UdDgQWBBRxYcRmw0SF
vmev8mHK0IMW61SDjTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFHfCuFCaZ3Z2
sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFAzAIBgZngQwBAgIw
MQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5wa2kuZ29vZy9HVFNHSUFHMy5j
cmwwDQYJKoZIhvcNAQELBQADggEBADFtwqRJHYeFt+B/7uOBke7lBTW1GDgNIaeY
CbawFVNeSOWjlCAn0oloHc07PTfyMs9VAQOTCKAZYnpSDhPubrzIGJJUyZN1tmI8
TKD0p7PpGmeRfw/QRvg5Hh5wEMM3syivNB3u3/iNIPBRpjdL8iFdv4Yd9qonW4hn
LZCIG6SMw+B5Pq7A7EV52+2xmKEtRspNiMAbSkDwWSmfxTVRdY6CH7/Jn6ORg/Nt
YWyNTQvMmQ7GisyfqRj81PVHDTxkNlaB7h/DvdYKN+I+xDpC+g+YdeClT6xUTnEK
tzah3TCyR7OLwb3R2B86xrqcjbed1bov+MCMvUUXt3k+q0z1430=
- -----END CERTIFICATE-----
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzxlYQACgkQHPApP6U8
pFiO0A//Z/5+Rk3Sm8Lo1BtGx02qFxOZkNWH0J9GZavTIlQ52hcAgwoP2EWAYYBV
BYaYSqZa6KmZv6XIuz+naf/L4/bdeTLuoV5qL8dWtaHvERyhoz3hpbHyAjxCKgnx
4L0xktkEpQSufkRIVN1vX0tLLMyhCYWPYlf4KnHqZZVGxZ5RB0LUoLviyqockHUv
PYajQZHmR2YmY8P6zoK0e1s30piwhLhDT3ss/uM/Vq5hQAepDk8K/vn9zNVaazvl
GDRINYLXTqruU1847SEqH8bk9d69UW8Qt6ufJ8qnsMEYnNxuOiGaXakeYw1hJ6TW
Eg7/QZl6y1i7eDMqxgCXI89lgGeYR/peskt4Q8nLxbcCyOgAVexjBqpvYuogqzl2
O2MQmCAxwCbald+l/gRNPiXXSIwAl01NuY29xxaT+y1lMa+KoD+UPXHbFk+60Yfx
G5wKNL+GhIDMWR8GOP2/7Lq+XdxngtEhzUij2nmJvK5sh1HSeesusYnaorN3g1Gv
LyBMdOOUb8xz+/dUpZD6Bq71X+nrS6wulr2Ulbw2Si4Vfu9Z2CSxOOQY9ggq2b8b
O5B1vbXqWAUEPTOKx98qxGW6E2+zjjtip4yYL834zrao+RRsVkKca79vgTRwpcN8
E+ad+BwB5j/ZynkPQDRHh76/TsxetWAXScQJq1/5gaY3z23SDmk=
=uLTj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message