-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Steve,
On 2/12/13 9:52 AM, Thomas, Steve wrote:
> Hi. We have been running Tomcat 7.0.23 in our test environment
> until recently, then upgraded to 7.0.35. After the upgrade, our
> tests started failing intermittently with
>
> <urlopen error [Errno 1] _ssl.c:503: error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure>
That looks like a load of fun.
> <Connector port="9444" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true" acceptCount="100" scheme="https"
> secure="true" SSLEnabled="true" clientAuth="false"
> sslProtocol="TLS" keystoreFile="webapps/OurProgram/.keystore"
> compression="on" compressionMinSize="1024"
> noCompressionUserAgents="gozilla, traviata"
> compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"/>
I
>
see you have sslProtocol set to "TLS". I recently had a (longer than
really necessary) fight with a newly-stood-up server running stunnel
on it that wouldn't connect to other, similarly-configured servers. I
got a similar error message to the above, and the problem was that all
the other servers were configured to use "TLSv1" while the new server
had the default configuration to use "SSLv3". I actually thought that
TLSv1 ~= SSLv3 but evidently that isn't the case.
> <Connector port="9091"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> connectionTimeout="10000" tomcatAuthentication="false"
> keepaliveTimeout="5000" backlog="50" maxThreads="10" scheme="https"
> secure="true" SSLEnabled="true" clientAuth="false"
> sslProtocol="TLS" keystoreFile="webapps/OurProgram/.keystore" />
Any idea which of these connectors is being hit when you get the
connect error? Is it always the same client ("urlopen" looks like curl
or python or whatever)?
> Again, this is identical to our previous configuration, and as far
> as I know the only variable introduced was the upgrade to 7.0.35.
> This has happened across multiple OS's - from Windows 2008 64-bit
> to RHEL5.
Can you actually do a 'diff' of one server.xml against another?
Obviously, you can ignore all the non-Connector-related stuff.
> Could this version of Tomcat be stricter with its implementation
> of HTTPS, and that is triggering the issue?
It's more likely that the JVM is more strict. Did you upgrade the JVM
as well?
> If it isn't Tomcat--if something else must have changed--what
> would be the most likely explanation?
*shrug*
I think you need more data on the situations where this actually
occurs: what URL, which port, etc. When you hit your service, you are
hitting these servers directly, right -- that is, there isn't a
load-balancer or anything like that in between your client and your
server (as configured above)?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEbtrUACgkQ9CaO5/Lv0PD0uwCeKg6VFK3IQZIiEt1GqireVHuC
2HAAoIvnJGon20Kl7Ief6tWFY/gf4jCi
=D9lF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
