RE: Why will Tomcat not accept EC cipher suites?

2018-01-08 Thread Gali, Vamsi A
Hello John,
Technically, Java 1.8 provides the ciphers which are used by Tomcat and it 
definitely supports  a lot of EC ciphers: 
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites
Do you get the HandShakeException when you access the Tomcat directly or using 
webserver?

Also, I use a small script to get the list of supported ciphers for each 
Protocol, as below:
--
#!/bin/sh
for v in tls1; do  #you can use tls1_1 or tls1_2 in place of tls1, which is the 
protocol)
   for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
 openssl s_client -connect  TOMCAT-SEREVE:HTTPS-Port \
   -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
   done
 done
-


Thank you,
Vamsi Gali

-Original Message-
From: john.e.gr...@wellsfargo.com.INVALID 
[mailto:john.e.gr...@wellsfargo.com.INVALID] 
Sent: Monday, January 08, 2018 2:35 PM
To: users@tomcat.apache.org
Subject: Why will Tomcat not accept EC cipher suites?

All,

I'm using Tomcat 7.0.82 and java 1.8.0_152.

I cannot get Tomcat to accept elliptic curve ciphers.  I've written a small SSL 
socket server that uses the same certificate as the server and deployed it on 
the same machine using the same JDK.  It accepts EC ciphers just fine so I 
don't think there is anything in the JDK that has disabled them, etc.  With 
verbose SSL enabled, Tomcat, however, complains about "http-bio-7114-exec-4, 
handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in 
common."

If I omit the "ciphers" property of the connector, I get this:

No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2

If I set ciphers="ALL,"  I'm back to "no cipher suites in common."

If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
which works with my socket server, I get "No appropriate protocol (protocol is 
disabled or cipher suites are inappropriate)."

BTW I have an RSA cert on the server with a 2048-bit key and signed using 
SHA256withRSA.

One of the connector configs I've tried.



Thanks

John




This communication may contain privileged and/or confidential information. It 
is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. This communication may contain nonpublic 
personal information about consumers subject to the restrictions of the 
Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose 
such information for any purpose other than to provide the services for which 
you are receiving the information.

127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from 
Key 
send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in 
the 
SUBJECT line.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread Gali, Vamsi A
This issue is now RESOLVED.

On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only had 2 TLS 
ciphers that are no compatible with Tomcat TLV1.2. So I added '' 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf by looking at this: 
https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html
 and IHS can communicate with Tomcat W/O any issues. Woohoo!

The reason I picked the above cipher is because it's one the list of ciphers 
tomcat's JVM supports. 

Igor, I couldn’t use one of the java based cipher tool so used a small script 
to get a list of ciphers available for a jvm(this can be used for any Linux 
server as long as openssl is available):

#!/bin/sh
for v in tls1_2; do
   for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
 openssl s_client -connect  SERVERNAME:https_port \
   -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
   done
 done

I executed above script to find out a list of ciphers on Tomcat's jvm and based 
on that I chose to use TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.

I appreciate all the help on finding me the true issue!

Thank you,
Vamsi Gali


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, October 12, 2017 10:05 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 12.10.2017 15:33, Gali, Vamsi A wrote:
> :)
> IHS is IBM HTTP Server.
>
> Thank you,

Thank you too. I feel a lot less like a dummy now.
And after reading a bit on "IHS" now, it would seem that this is at least 90% 
Apache httpd 2.2, which may make it clearer to other people that maybe they 
could help too.

>
>
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, October 12, 2017 9:32 AM
> To: users@tomcat.apache.org
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
>
> And for the rest of us dummies trying to follow this conversation, what might 
> "IHS" be ?
> Whatever Google returns doesn't seem really relevant.
>
> On 12.10.2017 15:25, Gali, Vamsi A wrote:
>> Igor,
>> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 
>> which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 
>> but there is a cipher mismatch. We have Tam directly connecting to Tomcat 
>> and the connectivity works w/o any SSL handshake errors. Hence, I'm 
>> suspecting IHS and will be trying by adding same tls1.2 ciphers that 
>> Tomcat/java supports.
>>
>> Thank you,
>> Vamsi Gali
>>
>>
>> -Original Message-
>> From: Igor Cicimov [mailto:icici...@gmail.com]
>> Sent: Wednesday, October 11, 2017 7:33 PM
>> To: Tomcat Users List
>> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
>> establish SSL proxy connection
>>
>> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:
>>
>>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>>> <vamsi_a_g...@keybank.com.invalid>
>>> wrote:
>>>
>>> The debug log produced following & it's evident that handshake is 
>>> failing due to no ciphers suites in common.
>>>
>>> Allow unsafe renegotiation: false
>>> Allow legacy hello messages: true
>>> Is initial handshake: true
>>> Is secure renegotiation: false
>>> http-bio--Acceptor-0, setSoTimeout(6) called Ignoring 
>>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_S

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread Gali, Vamsi A
:)
IHS is IBM HTTP Server.

Thank you,


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, October 12, 2017 9:32 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

And for the rest of us dummies trying to follow this conversation, what might 
"IHS" be ?
Whatever Google returns doesn't seem really relevant.

On 12.10.2017 15:25, Gali, Vamsi A wrote:
> Igor,
> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 
> which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 
> but there is a cipher mismatch. We have Tam directly connecting to Tomcat and 
> the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting 
> IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java 
> supports.
>
> Thank you,
> Vamsi Gali
>
>
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 7:33 PM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
>
> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:
>
>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>> <vamsi_a_g...@keybank.com.invalid>
>> wrote:
>>
>> The debug log produced following & it's evident that handshake is 
>> failing due to no ciphers suites in common.
>>
>> Allow unsafe renegotiation: false
>> Allow legacy hello messages: true
>> Is initial handshake: true
>> Is secure renegotiation: false
>> http-bio--Acceptor-0, setSoTimeout(6) called Ignoring 
>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite: 
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> for TLSv1
>> Ignoring unsupported cipher suite: 
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite: 
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> for TLSv1.1
>> Ignoring unsupported cipher suite: 
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>> for TLSv1.1
>> http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
>> *** ClientHello, TLSv1.2
>> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 
>> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 
>> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {} 
>> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, 
>> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
>> ***
>> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio--exec-2, SEND
>> TLSv1.2 ALERT:  fatal, description = handshake_failure 
>> http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2 
>> http-bio--exec-2, called closeSocket()
>>
>>
>>
>> http-bio--exec-2, handling exception: 
>> javax.net.ssl.SSLHandshakeException:
>> no cipher suites in common
>> http-bio--exec-2, IOException in getSession():
>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>
>>
>> There you go, no comment needed.
>>
>> Also, since you are using JSSE in your tomcat connector, you never
> mentioned the Java version you are using? From the logs looks like IHS offers 
> TLSv1.2 ciphers but tomcat does not support them so maybe you are running an 
> outdated version of Java, maybe 1.6?
>
> There some tools out there you can use to find the default SSL/TLS cipher 
> suits that JVM will use (and I think I've seen one from Christopher Schultz). 
> The tool should provide you with output like this:
>

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread Gali, Vamsi A
Igor,
Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 
which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but 
there is a cipher mismatch. We have Tam directly connecting to Tomcat and the 
connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and 
will be trying by adding same tls1.2 ciphers that Tomcat/java supports.

Thank you,
Vamsi Gali


-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com] 
Sent: Wednesday, October 11, 2017 7:33 PM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:

> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" 
> <vamsi_a_g...@keybank.com.invalid>
> wrote:
>
> The debug log produced following & it's evident that handshake is 
> failing due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio--Acceptor-0, setSoTimeout(6) called Ignoring 
> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: 
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: 
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: 
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: 
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: 
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 
> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 
> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {} 
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, 
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
> ***
> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:  
> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio--exec-2, SEND 
> TLSv1.2 ALERT:  fatal, description = handshake_failure 
> http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2 
> http-bio--exec-2, called closeSocket()
>
>
>
> http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio--exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS offers 
TLSv1.2 ciphers but tomcat does not support them so maybe you are running an 
outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher suits 
that JVM will use (and I think I've seen one from Christopher Schultz). The 
tool should provide you with output like this:

$ java Ciphers
DefaultCipher
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 SSL_DH_anon_WITH_DES_CBC_SHA
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_RSA_WITH_DES_CBC_SHA
 SSL_RSA_WITH_NULL_MD5
 SSL_RSA_WITH_NULL_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_DH_anon_WITH_AES_128_CBC_SHA
 TLS_DH_anon_WITH_AES_128_CBC_SHA256
 TLS_DH_anon_WITH_AES_128_GCM_SHA256
...

then pick up one of the suppo

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
The debug log produced following & it's evident that handshake is failing due 
to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for 
TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145, 53, 
176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239, 53, 
188, 180, 41 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, 
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description = 
handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()
http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException: 
no cipher suites in common
http-bio--exec-2, IOException in getSession():  
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio--exec-2, called close()
http-bio--exec-2, called closeInternal(true)

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A [mailto:vamsi_a_g...@keybank.com.INVALID] 
Sent: Wednesday, October 11, 2017 11:18 AM
To: Tomcat Users List
Subject: RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

I see what Igor has suggested and I will be reproducing the issue by adding  
'-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS.  Thank you!

Thank you,
Vamsi Gali


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Wednesday, October 11, 2017 10:44 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record 
> anything not even the access log. I tried enabling debug at tomcat but 
> nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL debugging, not 
Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> <vamsi_a_g...@keybank.com.invalid>
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are 
> the details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the 
> following stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
I see what Igor has suggested and I will be reproducing the issue by adding  
'-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS.  Thank you!

Thank you,
Vamsi Gali


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Wednesday, October 11, 2017 10:44 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record 
> anything not even the access log. I tried enabling debug at tomcat but 
> nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL debugging, not 
Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> <vamsi_a_g...@keybank.com.invalid>
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are 
> the details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the 
> following stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] 
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, 
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] 
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal 
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT 
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] 
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu 
> Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu 
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] 
> [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id 
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 
> 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx   ..V/.5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 
> 00 09:20:2

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
Yes, Siva. 
Both IHS & Tomcat keystores are added with correct CA certs.

Webserver Config:

Include "rewrites.conf"
SSLEnable
Include "cipher.conf"
Keyfile Key-File
# tomcat balancer and proxy section
ProxyRequests Off
SSLProxyEngine on

 
 BalancerMember https://Tomcat1:https-port/app1 route=app1_01
 BalancerMember https://Tomcat2:https-port/app1 route=app1_02

 ProxyPassReverse /app1 balancer://app1
 ProxyPass /app1 balancer://app1 stickysession=JSESSIONID|jsessionid


Tomcat SSL Connector:

  

We haven’t specified the list of ciphers for Tomcat and its set to TLS for ssl 
protocol.


Thank you,
Vamsi Gali


-Original Message-
From: shivashankar manukondu [mailto:sivasankar.m...@gmail.com] 
Sent: Wednesday, October 11, 2017 10:02 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

Hi,

Can you post the web and tomcat servers configuration files.

I hope you have added CA root certificate to the backend truststore?

Regards,
Siva

On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A < 
vamsi_a_g...@keybank.com.invalid> wrote:

> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even 
> record anything not even the access log. I tried enabling debug at 
> tomcat but nothing is captured during the request initiation.
>
> Thank you,
> Vamsi Gali
>
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> <vamsi_a_g...@keybank.com.invalid>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following 
> are the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but 
> it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with 
> the following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] 
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake 
> Failed, Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] 
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent 
> fatal alert [level 2 (fatal), description 40 (handshake_failure)] 
> [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] 
> -> [debug]
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version 
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu 
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id 
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
Igor,

Thank you for the response!

Since the request is failing at SSL handshake, Tomcat doesn’t even record 
anything not even the access log. I tried enabling debug at tomcat but nothing 
is captured during the request initiation.

Thank you,
Vamsi Gali

-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com] 
Sent: Wednesday, October 11, 2017 4:09 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid>
wrote:

Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-Original Message-----
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
connection

Hello,
I just realized that I didn’t provide the environment info & following are the 
details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the 
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could 
not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert 
[level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> 
IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  
TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu Oct 
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] 
[debug] [client  TOMCAT-IP] gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
DC xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 
2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  00
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript 
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2


--
What’s done: IHS & Tomcat keystores contain required signers for proper 
communication. During the troubleshooting, I even added IHS server cert as a 
signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS u

FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-10 Thread Gali, Vamsi A
Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A 
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
connection

Hello,
I just realized that I didn’t provide the environment info & following are the 
details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection 

When Tomcat is accessed through webserver url, it throws ‘500’ with the 
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] 
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT 
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could 
not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] 
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert 
[level 2 (fatal), description 40 (handshake_failure)]  [TOMCAT-IP:PORT -> 
IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  
TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu Oct 
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44 xx 
8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx DC 
xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00 09:20:20 
2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00 09:20:20 2017] 
[debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx 00 xx 
00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00  
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript 
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: 
pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] 
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
--
What’s done: IHS & Tomcat keystores contain required signers for proper 
communication. During the troubleshooting, I even added IHS server cert as a 
signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success. 

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using 
mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information. It 
is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. This communication may contain nonpublic 
personal information about co

RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-05 Thread Gali, Vamsi A
Hello,
I just realized that I didn’t provide the environment info & following are the 
details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection 

When Tomcat is accessed through webserver url, it throws ‘500’ with the 
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] 
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT 
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could 
not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] 
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert 
[level 2 (fatal), description 40 (handshake_failure)]  [TOMCAT-IP:PORT -> 
IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  
TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu Oct 
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44 xx 
8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx DC 
xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00 09:20:20 
2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00 09:20:20 2017] 
[debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx 00 xx 
00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00  
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript 
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: 
pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] 
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
--
What’s done: IHS & Tomcat keystores contain required signers for proper 
communication. During the troubleshooting, I even added IHS server cert as a 
signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success. 

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using 
mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information. It 
is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. This communication may contain nonpublic 
personal information about consumers subject to the restrictions of the 
Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose 
such information for any purpose other than to provide the services for which 
you are receiving the information.

127 Public Square, Cleveland, OH 44114
If you prefer not 

[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-05 Thread Gali, Vamsi A
Hello,

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection 

When Tomcat is accessed through webserver url, it throws ‘500’ with the 
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 
socket created to connect to TOMCAT2
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2419): proxy: HTTPS: connection 
complete to  TOMCAT-IP:PORT (TOMCAT2)
[Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not 
establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] 
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert 
[level 2 (fatal), description 40 (handshake_failure)]  [TOMCAT-IP:PORT -> 
IHS:PORT] [09:20:20.000967434] 0ms
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake 
transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44 xx 
8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx DC 
xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx 00 xx 
00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00  
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: 
pre_connection setup failed (500)
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2022): proxy: HTTPS: has 
released connection for TOMCAT2
--
What’s done: IHS & Tomcat keystores contain required signers for proper 
communication. During the troubleshooting, I even added IHS server cert as a 
signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success. 

Has anyone ran into similar issues? Or eve tried Tomcat with IHS using 
mod_proxy module?


Thank you,
Vamsi Gali
Web Systems Services
Ph: 214-416-3128




This communication may contain privileged and/or confidential information. It 
is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. This communication may contain nonpublic 
personal information about consumers subject to the restrictions of the 
Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose 
such information for any purpose other than to provide the services for which 
you are receiving the information.

127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from 
Key 
send an e-mail to mailto:dnereque...@key.com with