-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Steve,
On 2/12/13 9:52 AM, Thomas, Steve wrote: > Hi. We have been running Tomcat 7.0.23 in our test environment > until recently, then upgraded to 7.0.35. After the upgrade, our > tests started failing intermittently with > > <urlopen error [Errno 1] _ssl.c:503: error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake failure> That looks like a load of fun. > <Connector port="9444" maxHttpHeaderSize="8192" maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure="true" SSLEnabled="true" clientAuth="false" > sslProtocol="TLS" keystoreFile="webapps/OurProgram/.keystore" > compression="on" compressionMinSize="1024" > noCompressionUserAgents="gozilla, traviata" > compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"/> I > see you have sslProtocol set to "TLS". I recently had a (longer than really necessary) fight with a newly-stood-up server running stunnel on it that wouldn't connect to other, similarly-configured servers. I got a similar error message to the above, and the problem was that all the other servers were configured to use "TLSv1" while the new server had the default configuration to use "SSLv3". I actually thought that TLSv1 ~= SSLv3 but evidently that isn't the case. > <Connector port="9091" > protocol="org.apache.coyote.http11.Http11NioProtocol" > connectionTimeout="10000" tomcatAuthentication="false" > keepaliveTimeout="5000" backlog="50" maxThreads="10" scheme="https" > secure="true" SSLEnabled="true" clientAuth="false" > sslProtocol="TLS" keystoreFile="webapps/OurProgram/.keystore" /> Any idea which of these connectors is being hit when you get the connect error? Is it always the same client ("urlopen" looks like curl or python or whatever)? > Again, this is identical to our previous configuration, and as far > as I know the only variable introduced was the upgrade to 7.0.35. > This has happened across multiple OS's - from Windows 2008 64-bit > to RHEL5. Can you actually do a 'diff' of one server.xml against another? Obviously, you can ignore all the non-Connector-related stuff. > Could this version of Tomcat be stricter with its implementation > of HTTPS, and that is triggering the issue? It's more likely that the JVM is more strict. Did you upgrade the JVM as well? > If it isn't Tomcat--if something else must have changed--what > would be the most likely explanation? *shrug* I think you need more data on the situations where this actually occurs: what URL, which port, etc. When you hit your service, you are hitting these servers directly, right -- that is, there isn't a load-balancer or anything like that in between your client and your server (as configured above)? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEbtrUACgkQ9CaO5/Lv0PD0uwCeKg6VFK3IQZIiEt1GqireVHuC 2HAAoIvnJGon20Kl7Ief6tWFY/gf4jCi =D9lF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org