Re: installing certificates

2017-10-11 Thread Adam Pease

Hi Chris and all,
  I was able to get my system running based on the instructions at 
https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416 
.  I clarified them a little and put

them into the context of installing my open source project at
https://github.com/ontologyportal/sigmakee/blob/master/Security.txt

all the best,
Adam


On 10/09/2017 03:13 PM, Adam Pease wrote:

Hi Chris,
   Many thanks for the quick response!  There's a lot of new terminology 
(to me) to all this and it's quite confusing I'm afraid.


   I tried Let's Encrypt just now but since I'm running Tomcat sites 
either I'm not doing it right, or it doesn't know how to verify domains 
when they don't answer on port 80.  So I get "The server could not 
connect to the client to verify the domain :: Timeout"
   Following the process at "gethttpsforfree.com" resulted in two long 
hex keys: one titled "Signed Certificate" and one titled "Intermediate 
Certificate".  I'm not sure what a "server certificate" is.  Is that a 
public/private key pair that I generated at the beginning of this 
process with


openssl genrsa 4096 > account.key

or what I did at the beginning of the tomcat instructions

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

But that generates a .keystore file which is already a parameter to the 
failing command.


I really appreciate your help.

all the best,
Adam

On 10/09/2017 02:00 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 10/9/17 4:24 PM, Adam Pease wrote:

Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
installation.  I'm trying to follow the instructions at
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
HTTPS running under tomcat.


Version mismatch. You want this guide:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html


My site runs with a self-signed certificate.  Now I'm trying to
install a proper certificate from > https://gethttpsforfree.com/

Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
I've personally done Let's Encrypt.


After the rather lengthy process to generate the "Signed
Certificate" and "Intermediate Certificate" it appears I'm ready to
follow the instructions under the heading "Importing the
Certificate".


BTW, LE is a single command to get a signed certificate.


My first question is whether there is a difference between the
certificates mentioned in

- "import a so called Chain Certificate or Root Certificate into
your keystore"

and

- "After that you can proceed with importing your Certificate."


You have a "server certificate" -- that's yours, and represents you.
There is (usually) another certificate, called the "chain" or
"intermediate" certificate, which represents the Certificate Authority
who signed your certificate.

When your server performs a TLS handshake with the client, it needs to
present a "certificate chain" which includes your server certificate
(the "leaf") and any certificates required to link the server cert to
a root certificate which is stored within the client and already
trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
multiple certificates available to send, and only one "belongs" to you.


I was able to execute the command:

keytool -import -alias root -keystore 
-trustcacerts -file 

using a single file that has the "Signed Certificate" and
"Intermediate Certificate" from gethttpsforfree.  But then I get an
error from the next command

~$ keytool -import -alias tomcat -keystore .keystore -file
chained.pem Enter keystore password: keytool error:
java.lang.Exception: Certificate reply does not contain public key
for 


Which file is which? Looks like you imported the chain twice.


When I run

~$ keytool -list -v

I see (in part)

Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
CN=Adam Pease

I'm very new to certificates.  Could someone point me in the right
direction?


Java keystores are a nightmare... it's not your fault. ;)

It looks like you didn't successfully import the CA's
root/intermediate certificate. Can you reply with some more specifics?
What files do you have from the CA, what keystore(s) do you have, and
what are the exact commands you are running? You've left-out some
important details from your post above.

Here's what I have in my "Java Keystore Cheat Cheet":

Create your server key and self-signed cert:

$ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
-alias ${HOSTNAME} -keystore ${HOSTNAME}.jks


Now, export your CSR:


$ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks


Use that CSR to get your cert signed.

Now, import the signed cert back into your keystore, starting with the
root and/or intermediate cert and finishing with your server's cert:


$ keytool -import -alias [Authority.CA] -trustcacerts -file
[authority's CA cert] -keystore ${HOSTNAME}.jks


(^ if 

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Igor Cicimov
On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov  wrote:

> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" 
> wrote:
>
> The debug log produced following & it's evident that handshake is failing
> due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio--Acceptor-0, setSoTimeout(6) called
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 13,
> 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96,
> 238, 97, 6, 240, 239, 53, 188, 180, 41 }
> Session ID:  {}
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_RC4_128_MD5]
> Compression Methods:  { 0 }
> ***
> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
> %% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
> http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description =
> handshake_failure
> http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
> http-bio--exec-2, called closeSocket()
>
>
>
> http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio--exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS
offers TLSv1.2 ciphers but tomcat does not support them so maybe you are
running an outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher
suits that JVM will use (and I think I've seen one from Christopher
Schultz). The tool should provide you with output like this:

$ java Ciphers
DefaultCipher
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 SSL_DH_anon_WITH_DES_CBC_SHA
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_RSA_WITH_DES_CBC_SHA
 SSL_RSA_WITH_NULL_MD5
 SSL_RSA_WITH_NULL_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_DH_anon_WITH_AES_128_CBC_SHA
 TLS_DH_anon_WITH_AES_128_CBC_SHA256
 TLS_DH_anon_WITH_AES_128_GCM_SHA256
...

then pick up one of the supported default ciphers (marked with star) and
use it in IHS (as it is or translated in IHS way, no idea about that) so
you get a match. I know nothing about IHS so can't help there.

If that doesn't work then I would say IHS does some funky stuff with the
cipher suites in a way that tomcat can't understand them.

Igor


RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Igor Cicimov
On 12 Oct 2017 8:25 am, "Gali, Vamsi A" 
wrote:

The debug log produced following & it's evident that handshake is failing
due to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145,
53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239,
53, 188, 180, 41 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description =
handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()



http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio--exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException:
no cipher suites in common


There you go, no comment needed.


RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
The debug log produced following & it's evident that handshake is failing due 
to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for 
TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145, 53, 
176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239, 53, 
188, 180, 41 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, 
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description = 
handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()
http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException: 
no cipher suites in common
http-bio--exec-2, IOException in getSession():  
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio--exec-2, called close()
http-bio--exec-2, called closeInternal(true)

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A [mailto:vamsi_a_g...@keybank.com.INVALID] 
Sent: Wednesday, October 11, 2017 11:18 AM
To: Tomcat Users List
Subject: RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

I see what Igor has suggested and I will be reproducing the issue by adding  
'-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS.  Thank you!

Thank you,
Vamsi Gali


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Wednesday, October 11, 2017 10:44 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record 
> anything not even the access log. I tried enabling debug at tomcat but 
> nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL debugging, not 
Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> 
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are 
> the details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the 
> following stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] 
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to 
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 

tomcat 8.5.23 dbcp not honoring autocommit = false?

2017-10-11 Thread Chris Cheshire
Working on a migration from 7 to 8.5, and in it I am now using the
tomcat dbcp, instead of apache commons dbcp. I have found that with no
other changes to the db code (except the factory param for the
resource), it is working fine other than there is an implicit commit
happening when I close a connection, even with autocommit turned off
in mysql config, resource config AND in my code.

Resource config :



Only thing changed in that from 7.x to 8.5.x is the factory was
org.apache.commons.dbcp.BasicDataSourceFactory. I am using Connector/J
5.1.44 (latest version).


Getting a connection boils down to this in my code (pieces pulled out
of factories and other classes)

(Support class in web code)
public static DataSource getDataSource() {
try {
return (DataSource)new
InitialContext().lookup("java:comp/env/" +
ServletContextParameters.getDatabaseResourceName());
}
catch (NamingException ex) {
throw new RuntimeException("unable to find datasource", ex);
}
}


(DAO Factory implementation)
public MySQLDAOFactoryImpl(@NotNull DataSource dataSource) {
this.dataSource = dataSource;

try {
this.dbConn = this.dataSource.getConnection();
this.dbConn.setAutoCommit(false);

this.dbConn.setTransactionIsolation(Connection.TRANSACTION_READ_COMMITTED);
}
catch (SQLException ex) {
throw new DAOException("unable to get database connection", ex);
}
}

@Override
public void close() {
try {
if (this.dbConn != null) {
this.dbConn.close();
}
}
catch (SQLException ex) {
throw new DAOException("error closing database connection", ex);
}
}


If I do

daoFactory = new MySQLDAOFactoryImpl(getDataSource());

// update #1
daoFactory.commit()

// update #2
daoFactory.close();

then update #2 is being committed.

If I put in this in the close() method of my DAO Factory

if (!this.dbConn.getAutoCommit()) {
this.dbConn.rollback();
}

before the close() call, then update #2 is correctly not getting committed.

I looked back through the recent tomcat changelogs, and found a
reference to https://bz.apache.org/bugzilla/show_bug.cgi?id=61425
under the 8.5.21 release which looks like it might be addressing this
problem. However, when I download the source for 8.5.23, there is no
org.apache.tomcat.jdbc directory so I can't dive in there.

Anyone else experienced this? Hopefully I am just missing something obvious.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Enforcing server preference for cipher suites

2017-10-11 Thread Harish Krishnan
Thanks for the response, Konstantin.
If debugging the tomcat code is the only option, then I will plan to do it 
sometime soon as it is bit additional work for me. 
We just use the tomcat binaries In our application.
Meanwhile, if anybody have any other suggestions, that is greatly appreciated.

Sent from my iPhone

> On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko  
> wrote:
> 
> 2017-10-09 19:31 GMT+03:00 Harish Krishnan :
>> Hi All,
>> 
>> Need your expert input here.
>> Not sure what I am doing wrong,  but I cannot get this server preference 
>> cipher suites feature working.
>> 
>> My setup:
>> Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute)
>> Latest Java 1.8 build.
>> 
>> No matter what value I set to this attribute (true OR false OR undefined 
>> which is by default), I always see the Clients preference picked.
>> As an example, if clients order is ABCDEF, and servers order is DEFABC, no 
>> matter what value I set to this useServerCipherSuitesOrder attribute, always 
>> the order selected is ABC...
> 
> It should work when running on Java 8.
> 
> Maybe try debugging
> e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat
> setUseServerCipherSuitesOrder()
> 
> https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
> 
> Best regards,
> Konstantin Kolinko
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
I see what Igor has suggested and I will be reproducing the issue by adding  
'-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS.  Thank you!

Thank you,
Vamsi Gali


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Wednesday, October 11, 2017 10:44 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record 
> anything not even the access log. I tried enabling debug at tomcat but 
> nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL debugging, not 
Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> 
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are 
> the details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the 
> following stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] 
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, 
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] 
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal 
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT 
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] 
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu 
> Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu 
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] 
> [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id 
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 
> 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx   ..V/.5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
> .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions 
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Mark Thomas
On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record 
> anything not even the access log. I tried enabling debug at tomcat but 
> nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL
debugging, not Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com] 
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
> proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL 
> proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are 
> the details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the 
> following stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 
> socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, 
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal 
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT 
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] 
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu 
> Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] 
> [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 
> 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx   ..V/.5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
> .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake 
> transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> 
> 
> --
> 

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
Yes, Siva. 
Both IHS & Tomcat keystores are added with correct CA certs.

Webserver Config:

Include "rewrites.conf"
SSLEnable
Include "cipher.conf"
Keyfile Key-File
# tomcat balancer and proxy section
ProxyRequests Off
SSLProxyEngine on

 
 BalancerMember https://Tomcat1:https-port/app1 route=app1_01
 BalancerMember https://Tomcat2:https-port/app1 route=app1_02

 ProxyPassReverse /app1 balancer://app1
 ProxyPass /app1 balancer://app1 stickysession=JSESSIONID|jsessionid


Tomcat SSL Connector:

  

We haven’t specified the list of ciphers for Tomcat and its set to TLS for ssl 
protocol.


Thank you,
Vamsi Gali


-Original Message-
From: shivashankar manukondu [mailto:sivasankar.m...@gmail.com] 
Sent: Wednesday, October 11, 2017 10:02 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

Hi,

Can you post the web and tomcat servers configuration files.

I hope you have added CA root certificate to the backend truststore?

Regards,
Siva

On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A < 
vamsi_a_g...@keybank.com.invalid> wrote:

> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even 
> record anything not even the access log. I tried enabling debug at 
> tomcat but nothing is captured during the request initiation.
>
> Thank you,
> Vamsi Gali
>
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> 
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following 
> are the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but 
> it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with 
> the following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] 
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake 
> Failed, Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] 
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent 
> fatal alert [level 2 (fatal), description 40 (handshake_failure)] 
> [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] 
> -> [debug]
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version 
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu 
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id 
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx   ..V/.5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> 

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread shivashankar manukondu
Hi,

Can you post the web and tomcat servers configuration files.

I hope you have added CA root certificate to the backend truststore?

Regards,
Siva

On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A <
vamsi_a_g...@keybank.com.invalid> wrote:

> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even record
> anything not even the access log. I tried enabling debug at tomcat but
> nothing is captured during the request initiation.
>
> Thank you,
> Vamsi Gali
>
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL
> proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following are
> the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s
> in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with the
> following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2
> socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug]
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu
> Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20
> 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx   ..V/.5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
> .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake
> transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> 
> 
> 

RE: Tomcat SSL issue

2017-10-11 Thread Terence M. Bandoian

On 10/10/2017 9:45 AM, John Ellis wrote:


John Ellis

405.285.2500 office


 


http://biz-e.io


-Original Message-
From: Terence M. Bandoian [mailto:tere...@tmbsw.com]
Sent: Monday, October 9, 2017 4:49 PM
To: Tomcat Users List 
Subject: Re: Tomcat SSL issue

On 10/9/2017 10:01 AM, John Ellis wrote:

I posted questions about this a couple of weeks ago I think it was. I
have been trying to get Tomcat running on a secure port with a valid
SSL certificate. We finally got version 9.0.0.M20 setup successfully
on port 9443 and I can go to that IP:port and get a Tomcat webpage but
when I go through all the steps using the keytool commands to submit a
certificate (we use Cacert.org) and try to plug that certificate into
the mix it doesn’t work. I still get an error message telling me that
I will have to create an exception to go to that IP address and port.
Last Friday I even deleted the certificate and all the keystore file,
etc. and got the same exact error. So it appears that Tomcat is not
seeing the certificate at all since I get the same error about having
to add an exception whether or not I have a valid certificate in place
on the server.

The lines we added to the server.xml file to get the secure port
working are-


keystoreFile=home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk
s"

keystorePass=hangeit" />

John Ellis

Thanks for the reply Terence. Yes I get the message about needing to create

a security exception when I first try to open the Tomcat webpage on the
secure port of 9443. I have deleted the certificate and supporting files off
of the server as I was going to start over with a new certificate. I believe
the error said something about not being able to verify the certificate. I
think the main issue is that this is just an internal server here in our
office running RHEL 6. It is not setup as a web server and it just has the
name of "cowboy" (given that name by my boss) so it is hard to figure out
what to call the "First and last name" part when I am creating the CSR to
send to Cacert.org. I can't just use the name "cowboy" as I don't have any
way to validate that. Have you ever run into situations like this? As I said
before I am not a programmer or developer or anything like that. My
background was in computer hardware for over 25 years until I took this
position after being laid off from what was formerly WebMD. We installed
systems in dr's offices, etc. Any light you could shed on this would be
great!
Thanks

Hi, John-

Is it a browser that's displaying the error message and requesting that you
create an exception to continue?  If so, have you looked at the additional
information to determine what problems the browser has detected with the
certificate?

-Terence Bandoian
   http://www.tmbsw.com/



Hi, John-

I would check the error message presented by the browser carefully and 
test with multiple browsers (e.g. Firefox, Chrome, IE, etc.). If you can 
copy the exact error messages to the list, someone might be able to 
offer more assistance.


If you're able to establish an encrypted connection, I would guess that 
Tomcat is at least finding "something" for a certificate.  And, you 
should be able to at least change the error message by altering your 
configuration.  If you can't, then something is amiss in the 
configuration process.  Was Tomcat restarted after the configuration was 
modified?  Is Java using a default location for the keystore? Is the 
keystore you specify in your Tomcat configuration modified when you 
execute the keytool commands?  Can you list the contents of the keystore?


If the browser can't verify the certificate, I'd guess that either 
intermediate certificates aren't available or the browser doesn't trust 
the certificate authority or the wrong address is used to access the 
server from the browser.  Detailed error messages would be helpful.


Instructions to generate a CSR are available on the Internet.  They vary 
though so you may have to dig to find something that works in your 
case.  I've found it best to use the instructions provided by the 
certificate provider.  In some cases, the prompt for first and last name 
is actually a request for the domain name to be secured. Also, a domain 
name that is at least recognized on your intranet will likely be 
required if you want to use a valid certificate.


It's been a while since I've configured Tomcat for SSL so I'm going on 
memory and can't offer much additional help.  There are others on the 
list though that probably can.  Specific details, such as Tomcat 
version, Java version and OS version and exact configuration, commands 
utilized and error messages make receiving that help more likely and 
more likely to result in success.


Hope that gets you started!

-Terence


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: 

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
Igor,

Thank you for the response!

Since the request is failing at SSL handshake, Tomcat doesn’t even record 
anything not even the access log. I tried enabling debug at tomcat but nothing 
is captured during the request initiation.

Thank you,
Vamsi Gali

-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com] 
Sent: Wednesday, October 11, 2017 4:09 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
wrote:

Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
connection

Hello,
I just realized that I didn’t provide the environment info & following are the 
details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the 
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could 
not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert 
[level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> 
IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  
TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu Oct 
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] 
[debug] [client  TOMCAT-IP] gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
DC xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 
2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  00
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript 
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2


--
What’s done: IHS & Tomcat keystores contain required signers for proper 
communication. During the troubleshooting, I even added IHS server cert as a 
signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using 
mod_proxy module?


Thank 

Basic question related to NIO connector and Async servlet processing

2017-10-11 Thread Saurav Sarkar
Hi All,

I have got a basic question related to usage of Async servlet with tomcat
NIO connector.

I want to use Async servlet with Non Block I/O as per servlet spec
https://docs.oracle.com/javaee/7/tutorial/servlets013.htm?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3BmL0Q5Y7ESTy4lpYPU%2Br77w%3D%3D

Such that the http worker threads are released and the container threads
won't be sitting idle for I/O operations too.

I am on Tomcat 7. As i understand the default tomcat connector (BIO) is a
blocking one and is on a thread per connection model. I am not clear on
whether using async Non Blocking I/o in servlets won't suffice ? Won't the
http worker threads be released here or will it be held for the lifetime of
the connection ?

NIO connector will use request per threads or allocate threads when
processing is required .Will using NIO selector only release the http
worker threads if it is used in conjunction with
Asynchronous Non blocking I/O servlets ?

Best Regards,
Saurav


Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

2017-10-11 Thread Terence M. Bandoian

On 10/10/2017 1:20 AM, Peter Kreuser wrote:

Christopher,

A good read on the appropriate (openssl) cipher string that I use can be found 
here:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Hynek explains the whys and don'ts and updates the string on a regular basis!

HTH

Peter



Nice article.  Thanks!

-Terence Bandoian
 http://www.tmbsw.com/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Igor Cicimov
On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
wrote:

Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection

Hello,
I just realized that I didn’t provide the environment info & following are
the details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s
in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
alert [level 2 (fatal), description 40 (handshake_failure)]
[TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20
2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu
Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
DC xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake
transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2


--
What’s done: IHS & Tomcat keystores contain required signers for proper
communication. During the troubleshooting, I even added IHS server cert as
a signer into Tomcat keystore and vice-versa but cannot get rid of this
error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using
mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information.
It is intended solely for the use of the addressee. If you are not the
intended recipient, you are strictly prohibited from disclosing, copying,
distributing or using any of this information. If you received this
communication in error, please contact the sender immediately and destroy
the material in its entirety, whether electronic or hard copy. This
communication may contain nonpublic personal information about