Resolved, Re: Connection reset while trying to access a web service running under Tomcat

[James H. H. Lampert]

On 2/24/17, 8:56 AM, Christopher Schultz wrote:


You need to enable logging at a lower level than this if a TLS
connection is failing. Tomcat doesn't get any indication that anyone
even tried to make a connection if the TLS handshake fails.

. . .

Dear Mr. Schultz (and all others who responded):

As it turns out, it *WAS* still a problem at the customer's end. They 
did something else (they didn't say *what*) and now, it's working just fine.


Thanks for getting back to me, though.

--
JHHL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Connection reset while trying to access a web service running under Tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 2/23/17 7:08 PM, André Warnier (tomcat) wrote:
> On 24.02.2017 00:57, James H. H. Lampert wrote:
>> On 2/23/17, 3:13 PM, André Warnier (tomcat) wrote:
>>> It seems to say right up here what the problem is : the
>>> customer system cannot establish a HTTPS connection with your
>>> server. The connection attempt starts, but then your server
>>> rejects it and closes the connection. Maybe they cannot agree
>>> on a common SSL protocol ?
>> . . .
>> 
>> Is there a diagnostic setting I can apply to the Tomcat server,
>> that would shed any light on what's happening?
>> 
> 
> Probably, if you set the log level high enough. Unfortunately, the 
> tomcat logging configuration is also not really my thing. One
> expert in these matters on this list is Christopher, but he seems
> to get list emails after some delay.

High praise. My delays are usually self-imposed. :)

> So have a little patience, and you'll probably be helped.
> 
> In the meantime, there is always the helpful on-line tomcat 
> documentation which you could try. 
> http://tomcat.apache.org/tomcat-8.0-doc/logging.html

You need to enable logging at a lower level than this if a TLS
connection is failing. Tomcat doesn't get any indication that anyone
even tried to make a connection if the TLS handshake fails.

James, are you using APR/tcnative/OpenSSL or JSSE? With JSSE, you can
enable logging with the system property "-Djavax.net.debug=all"
(without quotes, of course). Beware: this will produce ENORMOUS
amounts of debugging output. Don't put it into production... just
set-up a test server within the same environment and try to make
connections.

Back to the original report... is this a single client that
*sometimes* gets connection resets or is it multiple clients, some of
which always get resets and other clients are okay? If it's one
client, do they have multiple boxes/client services, etc. that can be
identified as "always working" or "always failing", or is this all
totally intermittent?

Finally... what's the underlying protocol? Plain-old HTTP or
Websocket? I guess you are getting reset-on-connect and not
reset-during-communication, so the underlying protocol might not
matter at all.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYsGXGAAoJEBzwKT+lPKRYCpcP/1liYo5BOSR7cyb7kKYBmnfC
WA3V8Faw8IXZGeeEwFGVEYB8HAa+jnivX8nlYSf8q6pU/FBA5KuO4fVAZJchOLB4
I+DC83+FjciMXcgklYIt+i8IVlw3wQssriMgEDG/xhoQB7i+NPRp66RBvZ/+OEhu
iyY1nndw8SU+RvQAz97r8GcUNz5eTfqxJmt030D/K72oHdoLjSLjLUD3rze/0/wm
9AysEEEYwck8rzq3WrYKXhBbxCkor+rKt24ZT1zAzLqfNMXWLko0MMn+el3ChuDf
2dLRGThq6itu08Pq3neiUu7jC1Cx9XUen8MozSe4dGL2snG8/lAxuq2j3S7i8/b1
mq4yzyVDZqsaBm8Ctnb95nFf4KeTbG0HUxMUPNbzHaOSJKknrYg4NWNSstT4d2Bk
b9kDx7ue7LhxWoaekp8d9CvBrMwMv6P5bVb994Z6onfGOSatilgUrZW8zOmfxTJD
OwWpwDGPw5rse4r+PudPkX3iKjFtejKzsmExI+89AwbQD8R/bBNL3sN4Jm5fY+Gz
4pYGICiEGzxlpJyvtYaIZtmUvubyj8RQ3dKNbkpziPXY3r8q7M18VVMQIVp59P5J
3yVnJUWdDTHMFNIuI8wVwE4VXgf3yO13MlnVQvWdhc/TVcrlAgwWw0QT3RdcS8Y5
fEQc0kmhPkKioZOcFJce
=p7IF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Connection reset while trying to access a web service running under Tomcat

[Tim Watts]

On Fri, 2017-02-24 at 01:08 +0100, André Warnier (tomcat) wrote:
> On 24.02.2017 00:57, James H. H. Lampert wrote:
> > On 2/23/17, 3:13 PM, André Warnier (tomcat) wrote:
> >> It seems to say right up here what the problem is : the customer system
> >> cannot establish a HTTPS connection with your server. The connection
> >> attempt starts, but then your server rejects it and closes the connection.
> >> Maybe they cannot agree on a common SSL protocol ?
> > . . .
> >
> > Is there a diagnostic setting I can apply to the Tomcat server, that would 
> > shed any light
> > on what's happening?
> >
> 
> Probably, if you set the log level high enough. Unfortunately, the tomcat 
> logging 
> configuration is also not really my thing.
> One expert in these matters on this list is Christopher, but he seems to get 
> list emails 
> after some delay. So have a little patience, and you'll probably be helped.
> In the meantime, there is always the helpful on-line tomcat documentation 
> which you could try.
> http://tomcat.apache.org/tomcat-8.0-doc/logging.html
> 

In addition, you might want to indicate what HTTP Connector and SSL
stack you're using. Pure Java/JSSE? Native/OpenSSL?  I believe the
logging tweaks will be different for these.

> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Connection reset while trying to access a web service running under Tomcat

[tomcat]

On 24.02.2017 00:57, James H. H. Lampert wrote:

On 2/23/17, 3:13 PM, André Warnier (tomcat) wrote:

It seems to say right up here what the problem is : the customer system
cannot establish a HTTPS connection with your server. The connection
attempt starts, but then your server rejects it and closes the connection.
Maybe they cannot agree on a common SSL protocol ?

. . .

Is there a diagnostic setting I can apply to the Tomcat server, that would shed 
any light
on what's happening?



Probably, if you set the log level high enough. Unfortunately, the tomcat logging 
configuration is also not really my thing.
One expert in these matters on this list is Christopher, but he seems to get list emails 
after some delay. So have a little patience, and you'll probably be helped.

In the meantime, there is always the helpful on-line tomcat documentation which 
you could try.
http://tomcat.apache.org/tomcat-8.0-doc/logging.html




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Connection reset while trying to access a web service running under Tomcat

[James H. H. Lampert]

On 2/23/17, 3:13 PM, André Warnier (tomcat) wrote:

It seems to say right up here what the problem is : the customer system
cannot establish a HTTPS connection with your server. The connection
attempt starts, but then your server rejects it and closes the connection.
Maybe they cannot agree on a common SSL protocol ?

. . .

Is there a diagnostic setting I can apply to the Tomcat server, that 
would shed any light on what's happening?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Connection reset while trying to access a web service running under Tomcat

[tomcat]

On 23.02.2017 22:35, James H. H. Lampert wrote:

We've got a problem, and I'm not sure where it is.

We've got a remote box, belonging to a customer, that's trying to access a web 
service
hosted by a Tomcat server on one of our boxes (part of a new webapp).

The customer box is getting "Connection Resets" while trying to access our web 
service.
Here is some of the debug output:

(GSKit) I/O: A connection with a remote socket was reset by that socket.
ssl_error(406): (GSKit) I/O: A connection with a remote socket was reset by 
that socket.
SetError() #30: SSL Handshake: (GSKit) I/O: A connection with a remote socket 
was reset
by that


It seems to say right up here what the problem is : the customer system cannot establish a 
HTTPS connection with your server. The connection attempt starts, but then your server 
rejects it and closes the connection.

Maybe they cannot agree on a common SSL protocol ?

As for why, I'll leave that one to someone else, because there are a billion SSL 
protocols, with a trillion of variations, and a kazillion possible reasons for why they 
could not agree on one; and this is really not my thing..




I think initially, the problem was in the customer's firewall not letting the 
requests out
on the port this server runs. They say they've got that fixed, but the 
connection resets
continue.

According to the statistics on our firewall appliance/router (a TP-Link 
WDR4300), it's
getting some packet traffic intended for the server in question, but nothing is 
being
logged by the webapp itself. And nothing seems to be getting logged to 
Catalina*.* from
any of this traffic, whether failed sign-ons from the customer box, or 
successful traffic
from one of our other boxes. Is there anything we can do to determine whether 
Tomcat is
seeing any of these request? And what it could be doing with them?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Connection reset while trying to access a web service running under Tomcat

[Peter Mykytyn]

use VPN or IPSEC for something like this.


On Thu, 23 Feb 2017 13:35:45 -0800
"James H. H. Lampert"  wrote:

> We've got a problem, and I'm not sure where it is.
> 
> We've got a remote box, belonging to a customer, that's trying to access 
> a web service hosted by a Tomcat server on one of our boxes (part of a 
> new webapp).
> 
> The customer box is getting "Connection Resets" while trying to access 
> our web service. Here is some of the debug output:
> > (GSKit) I/O: A connection with a remote socket was reset by that socket.
> > ssl_error(406): (GSKit) I/O: A connection with a remote socket was reset by 
> > that socket.
> > SetError() #30: SSL Handshake: (GSKit) I/O: A connection with a remote 
> > socket was reset by that
> 
> I think initially, the problem was in the customer's firewall not 
> letting the requests out on the port this server runs. They say they've 
> got that fixed, but the connection resets continue.
> 
> According to the statistics on our firewall appliance/router (a TP-Link 
> WDR4300), it's getting some packet traffic intended for the server in 
> question, but nothing is being logged by the webapp itself. And nothing 
> seems to be getting logged to Catalina*.* from any of this traffic, 
> whether failed sign-ons from the customer box, or successful traffic 
> from one of our other boxes. Is there anything we can do to determine 
> whether Tomcat is seeing any of these request? And what it could be 
> doing with them?
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Connection reset while trying to access a web service running under Tomcat

[James H. H. Lampert]

We've got a problem, and I'm not sure where it is.

We've got a remote box, belonging to a customer, that's trying to access 
a web service hosted by a Tomcat server on one of our boxes (part of a 
new webapp).


The customer box is getting "Connection Resets" while trying to access 
our web service. Here is some of the debug output:

(GSKit) I/O: A connection with a remote socket was reset by that socket.
ssl_error(406): (GSKit) I/O: A connection with a remote socket was reset by 
that socket.
SetError() #30: SSL Handshake: (GSKit) I/O: A connection with a remote socket 
was reset by that


I think initially, the problem was in the customer's firewall not 
letting the requests out on the port this server runs. They say they've 
got that fixed, but the connection resets continue.


According to the statistics on our firewall appliance/router (a TP-Link 
WDR4300), it's getting some packet traffic intended for the server in 
question, but nothing is being logged by the webapp itself. And nothing 
seems to be getting logged to Catalina*.* from any of this traffic, 
whether failed sign-ons from the customer box, or successful traffic 
from one of our other boxes. Is there anything we can do to determine 
whether Tomcat is seeing any of these request? And what it could be 
doing with them?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org