Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Vamsi,

On 10/12/17 11:06 AM, Gali, Vamsi A wrote:
> This issue is now RESOLVED.

Great.

> On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only
> had 2 TLS ciphers that are no compatible with Tomcat TLV1.2. So I
> added '' TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf
> by looking at this:
> https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.we
bsphere.ihs.doc/ihs/rihs_ciphspec.html
> and IHS can communicate with Tomcat W/O any issues. Woohoo!
> 
> The reason I picked the above cipher is because it's one the list
> of ciphers tomcat's JVM supports.

I would recommend that you configure IHS to support *multiple* cipher
suites instead of just the one. I would also recommend using GCM mode
instead of CBC mode if you can do so.

> Igor, I couldn’t use one of the java based cipher tool so used a 
> small script to get a list of ciphers available for a jvm(this can
> be used for any Linux server as long as openssl is available):> 
> #!/bin/sh for v in tls1_2; do for c in $(openssl ciphers
> 'ALL:eNULL' | tr ':' ' '); do openssl s_client -connect
> SERVERNAME:https_port \ -cipher $c -$v < /dev/null > /dev/null 2>&1
> && echo -e "$v:\t$c" done done

The output of the above command has absolutely nothing to do with the
cipher suites Java supports. In order to determine what Java supports,
you must use a Java-based tool.

(Unless you are using APR, but you are clearly using Java BIO.)

> I executed above script to find out a list of ciphers on Tomcat's 
> jvm and based on that I chose to use 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.> I appreciate all the
> help on finding me the true issue!

Glad you got it done but it's clear there is still some confusion.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngJvYACgkQHPApP6U8
pFgqwBAAngdJEPfKu44DfOrRdfnkjNRNRh8J+xfwEgAwJh+esusDUL/vKyXPffpQ
8HcjkYAq6dWLdEaHSZMYksrK78UrelBLWfdss8WTfDwT82/1lSY1/CpAaO+yK8WF
VStRmOdBqHDVdumbAUGZthcvhN5JnIQwril9JfAyofs08VnjhZ4CbSfcKYdKXyIP
0ELbdq8e/4M8cOZcq+99wPFt+V7D037LsHXbd3aPGAk26AFzlEl5uqX4lzsa/k+Q
uaO81P4nX5F+3Y2WuE6gfBlRi3xUplW1yQZ73K+Wg3rS7Tgd3b4+V2eKP9GyEuoD
zFE8OtfgcjCDv8nlpJKQOQU745VDaFC4y+cteiImhRHgD7OgnXregDxiuaz8RVyB
mvIzMbkevySchrWhI/yB5DMmPs33RfyBKsPxOkdhpdQEFQ7HvqKjsFIikcVSS6Um
yjMky8JouWZzBLr9FZ+KYjTSZWtxXA1xQiseBS08aWdyUh09NTpBJfE8pn6FBExq
8LxHeKBWCyW3ZNbbKp9cT/thQ4axYbFxhWtJr4UdDM6GYcBVmt1VVarWGfEd8dui
PehjgnrkuQF7mCXRWR54mYZp+k28xr1336UTj0OTgUxoyoqpwDoSYfKNn3Bt+/53
otZ8gRFYS0ynWStnQDc4WU9AYXLAPoKdfZUZxdnUYEbAUhlcWOM=
=Jsf+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread Gali, Vamsi A
This issue is now RESOLVED.

On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only had 2 TLS 
ciphers that are no compatible with Tomcat TLV1.2. So I added '' 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf by looking at this: 
https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html
 and IHS can communicate with Tomcat W/O any issues. Woohoo!

The reason I picked the above cipher is because it's one the list of ciphers 
tomcat's JVM supports. 

Igor, I couldn’t use one of the java based cipher tool so used a small script 
to get a list of ciphers available for a jvm(this can be used for any Linux 
server as long as openssl is available):

#!/bin/sh
for v in tls1_2; do
   for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
 openssl s_client -connect  SERVERNAME:https_port \
   -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
   done
 done

I executed above script to find out a list of ciphers on Tomcat's jvm and based 
on that I chose to use TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.

I appreciate all the help on finding me the true issue!

Thank you,
Vamsi Gali


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, October 12, 2017 10:05 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 12.10.2017 15:33, Gali, Vamsi A wrote:
> :)
> IHS is IBM HTTP Server.
>
> Thank you,

Thank you too. I feel a lot less like a dummy now.
And after reading a bit on "IHS" now, it would seem that this is at least 90% 
Apache httpd 2.2, which may make it clearer to other people that maybe they 
could help too.

>
>
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, October 12, 2017 9:32 AM
> To: users@tomcat.apache.org
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
>
> And for the rest of us dummies trying to follow this conversation, what might 
> "IHS" be ?
> Whatever Google returns doesn't seem really relevant.
>
> On 12.10.2017 15:25, Gali, Vamsi A wrote:
>> Igor,
>> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 
>> which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 
>> but there is a cipher mismatch. We have Tam directly connecting to Tomcat 
>> and the connectivity works w/o any SSL handshake errors. Hence, I'm 
>> suspecting IHS and will be trying by adding same tls1.2 ciphers that 
>> Tomcat/java supports.
>>
>> Thank you,
>> Vamsi Gali
>>
>>
>> -----Original Message-
>> From: Igor Cicimov [mailto:icici...@gmail.com]
>> Sent: Wednesday, October 11, 2017 7:33 PM
>> To: Tomcat Users List
>> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
>> establish SSL proxy connection
>>
>> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:
>>
>>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>>> <vamsi_a_g...@keybank.com.invalid>
>>> wrote:
>>>
>>> The debug log produced following & it's evident that handshake is 
>>> failing due to no ciphers suites in common.
>>>
>>> Allow unsafe renegotiation: false
>>> Allow legacy hello messages: true
>>> Is initial handshake: true
>>> Is secure renegotiation: false
>>> http-bio--Acceptor-0, setSoTimeout(6) called Ignoring 
>>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_S

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread tomcat

On 12.10.2017 15:33, Gali, Vamsi A wrote:

:)
IHS is IBM HTTP Server.

Thank you,


Thank you too. I feel a lot less like a dummy now.
And after reading a bit on "IHS" now, it would seem that this is at least 90% Apache httpd 
2.2, which may make it clearer to other people that maybe they could help too.





-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Thursday, October 12, 2017 9:32 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

And for the rest of us dummies trying to follow this conversation, what might 
"IHS" be ?
Whatever Google returns doesn't seem really relevant.

On 12.10.2017 15:25, Gali, Vamsi A wrote:

Igor,
Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which 
by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there 
is a cipher mismatch. We have Tam directly connecting to Tomcat and the 
connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will 
be trying by adding same tls1.2 ciphers that Tomcat/java supports.

Thank you,
Vamsi Gali


-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com]
Sent: Wednesday, October 11, 2017 7:33 PM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
establish SSL proxy connection

On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:


On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
<vamsi_a_g...@keybank.com.invalid>
wrote:

The debug log produced following & it's evident that handshake is
failing due to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called Ignoring
unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
for TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95,
13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214,
95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
[Session-13, SSL_NULL_WITH_NULL_NULL] http-bio--exec-2, SEND
TLSv1.2 ALERT:  fatal, description = handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()



http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio--exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException: no cipher suites in common


There you go, no comment needed.

Also, since you are using JSSE in your tomcat connector, you never

mentioned the Java version you are using? From the logs looks like IHS offers 
TLSv1.2 ciphers but tomcat does not support them so maybe you are running an 
outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher suits 
that JVM will use (and I think I've seen one from Christopher Schultz). The 
tool should provide you with output like this:

$ java Ciphers
DefaultCipher
   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
   SSL_DHE_DSS_WITH_DES_CBC_SHA
   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   SSL_DHE_RSA_WITH_DES_CBC_SHA
   SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
   SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
   SSL_DH_anon_WITH_DES_CBC_SHA
   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_RSA_WITH_3DES_EDE_CBC_SHA
   SSL_RSA_WITH_DES_CBC_SHA
 

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread Gali, Vamsi A
:)
IHS is IBM HTTP Server.

Thank you,


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, October 12, 2017 9:32 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

And for the rest of us dummies trying to follow this conversation, what might 
"IHS" be ?
Whatever Google returns doesn't seem really relevant.

On 12.10.2017 15:25, Gali, Vamsi A wrote:
> Igor,
> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 
> which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 
> but there is a cipher mismatch. We have Tam directly connecting to Tomcat and 
> the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting 
> IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java 
> supports.
>
> Thank you,
> Vamsi Gali
>
>
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 7:33 PM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
>
> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:
>
>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>> <vamsi_a_g...@keybank.com.invalid>
>> wrote:
>>
>> The debug log produced following & it's evident that handshake is 
>> failing due to no ciphers suites in common.
>>
>> Allow unsafe renegotiation: false
>> Allow legacy hello messages: true
>> Is initial handshake: true
>> Is secure renegotiation: false
>> http-bio--Acceptor-0, setSoTimeout(6) called Ignoring 
>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite: 
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> for TLSv1
>> Ignoring unsupported cipher suite: 
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite: 
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> for TLSv1.1
>> Ignoring unsupported cipher suite: 
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>> for TLSv1.1
>> http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
>> *** ClientHello, TLSv1.2
>> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 
>> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 
>> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {} 
>> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, 
>> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
>> ***
>> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio--exec-2, SEND
>> TLSv1.2 ALERT:  fatal, description = handshake_failure 
>> http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2 
>> http-bio--exec-2, called closeSocket()
>>
>>
>>
>> http-bio--exec-2, handling exception: 
>> javax.net.ssl.SSLHandshakeException:
>> no cipher suites in common
>> http-bio--exec-2, IOException in getSession():
>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>
>>
>> There you go, no comment needed.
>>
>> Also, since you are using JSSE in your tomcat connector, you never
> mentioned the Java version you are using? From the logs looks like IHS offers 
> TLSv1.2 ciphers but tomcat does not support them so maybe you are running an 
> outdated version of Java, maybe 1.6?
>
> There some tools out there you can use to find the default SSL/TLS cipher 
> suits that JVM will use (and I think I've seen one from Christopher Schultz). 
> The tool should provide you with output like this:
>

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread tomcat

And for the rest of us dummies trying to follow this conversation, what might 
"IHS" be ?
Whatever Google returns doesn't seem really relevant.

On 12.10.2017 15:25, Gali, Vamsi A wrote:

Igor,
Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which 
by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there 
is a cipher mismatch. We have Tam directly connecting to Tomcat and the 
connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will 
be trying by adding same tls1.2 ciphers that Tomcat/java supports.

Thank you,
Vamsi Gali


-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com]
Sent: Wednesday, October 11, 2017 7:33 PM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:


On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
<vamsi_a_g...@keybank.com.invalid>
wrote:

The debug log produced following & it's evident that handshake is
failing due to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called Ignoring
unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
for TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95,
13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214,
95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
[Session-13, SSL_NULL_WITH_NULL_NULL] http-bio--exec-2, SEND
TLSv1.2 ALERT:  fatal, description = handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()



http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio--exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException: no cipher suites in common


There you go, no comment needed.

Also, since you are using JSSE in your tomcat connector, you never

mentioned the Java version you are using? From the logs looks like IHS offers 
TLSv1.2 ciphers but tomcat does not support them so maybe you are running an 
outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher suits 
that JVM will use (and I think I've seen one from Christopher Schultz). The 
tool should provide you with output like this:

$ java Ciphers
DefaultCipher
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  SSL_DHE_DSS_WITH_DES_CBC_SHA
  SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_DHE_RSA_WITH_DES_CBC_SHA
  SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
  SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
  SSL_DH_anon_WITH_DES_CBC_SHA
  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_RSA_WITH_DES_CBC_SHA
  SSL_RSA_WITH_NULL_MD5
  SSL_RSA_WITH_NULL_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_DH_anon_WITH_AES_128_CBC_SHA
  TLS_DH_anon_WITH_AES_128_CBC_SHA256
  TLS_DH_anon_WITH_AES_128_GCM_SHA256
...

then pick up one of the supported default ciphers (marked with star) and use it 
in IHS (as it is or translated in IHS way, no idea about that) so you get a 
match. I know nothing about 

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-12 Thread Gali, Vamsi A
Igor,
Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 
which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but 
there is a cipher mismatch. We have Tam directly connecting to Tomcat and the 
connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and 
will be trying by adding same tls1.2 ciphers that Tomcat/java supports.

Thank you,
Vamsi Gali


-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com] 
Sent: Wednesday, October 11, 2017 7:33 PM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:

> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" 
> <vamsi_a_g...@keybank.com.invalid>
> wrote:
>
> The debug log produced following & it's evident that handshake is 
> failing due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio--Acceptor-0, setSoTimeout(6) called Ignoring 
> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: 
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: 
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: 
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: 
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: 
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 
> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 
> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {} 
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, 
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
> ***
> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:  
> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio--exec-2, SEND 
> TLSv1.2 ALERT:  fatal, description = handshake_failure 
> http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2 
> http-bio--exec-2, called closeSocket()
>
>
>
> http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio--exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS offers 
TLSv1.2 ciphers but tomcat does not support them so maybe you are running an 
outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher suits 
that JVM will use (and I think I've seen one from Christopher Schultz). The 
tool should provide you with output like this:

$ java Ciphers
DefaultCipher
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 SSL_DH_anon_WITH_DES_CBC_SHA
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_RSA_WITH_DES_CBC_SHA
 SSL_RSA_WITH_NULL_MD5
 SSL_RSA_WITH_NULL_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_DH_anon_WITH_AES_128_CBC_SHA
 TLS_DH_anon_WITH_AES_128_CBC_SHA256
 TLS_DH_anon_WITH_AES_128_GCM_SHA256
...

then pick up one of the suppo

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Igor Cicimov
On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov  wrote:

> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" 
> wrote:
>
> The debug log produced following & it's evident that handshake is failing
> due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio--Acceptor-0, setSoTimeout(6) called
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 13,
> 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96,
> 238, 97, 6, 240, 239, 53, 188, 180, 41 }
> Session ID:  {}
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_RC4_128_MD5]
> Compression Methods:  { 0 }
> ***
> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
> %% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
> http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description =
> handshake_failure
> http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
> http-bio--exec-2, called closeSocket()
>
>
>
> http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio--exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS
offers TLSv1.2 ciphers but tomcat does not support them so maybe you are
running an outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher
suits that JVM will use (and I think I've seen one from Christopher
Schultz). The tool should provide you with output like this:

$ java Ciphers
DefaultCipher
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 SSL_DH_anon_WITH_DES_CBC_SHA
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_RSA_WITH_DES_CBC_SHA
 SSL_RSA_WITH_NULL_MD5
 SSL_RSA_WITH_NULL_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_DH_anon_WITH_AES_128_CBC_SHA
 TLS_DH_anon_WITH_AES_128_CBC_SHA256
 TLS_DH_anon_WITH_AES_128_GCM_SHA256
...

then pick up one of the supported default ciphers (marked with star) and
use it in IHS (as it is or translated in IHS way, no idea about that) so
you get a match. I know nothing about IHS so can't help there.

If that doesn't work then I would say IHS does some funky stuff with the
cipher suites in a way that tomcat can't understand them.

Igor


RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Igor Cicimov
On 12 Oct 2017 8:25 am, "Gali, Vamsi A" 
wrote:

The debug log produced following & it's evident that handshake is failing
due to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145,
53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239,
53, 188, 180, 41 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description =
handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()



http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio--exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException:
no cipher suites in common


There you go, no comment needed.


RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
The debug log produced following & it's evident that handshake is failing due 
to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for 
TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145, 53, 
176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239, 53, 
188, 180, 41 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, 
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description = 
handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()
http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException: 
no cipher suites in common
http-bio--exec-2, IOException in getSession():  
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio--exec-2, called close()
http-bio--exec-2, called closeInternal(true)

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A [mailto:vamsi_a_g...@keybank.com.INVALID] 
Sent: Wednesday, October 11, 2017 11:18 AM
To: Tomcat Users List
Subject: RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

I see what Igor has suggested and I will be reproducing the issue by adding  
'-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS.  Thank you!

Thank you,
Vamsi Gali


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Wednesday, October 11, 2017 10:44 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record 
> anything not even the access log. I tried enabling debug at tomcat but 
> nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL debugging, not 
Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> <vamsi_a_g...@keybank.com.invalid>
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are 
> the details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the 
> following stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
I see what Igor has suggested and I will be reproducing the issue by adding  
'-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS.  Thank you!

Thank you,
Vamsi Gali


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Wednesday, October 11, 2017 10:44 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record 
> anything not even the access log. I tried enabling debug at tomcat but 
> nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL debugging, not 
Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> <vamsi_a_g...@keybank.com.invalid>
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are 
> the details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the 
> following stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] 
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, 
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] 
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal 
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT 
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] 
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu 
> Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu 
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] 
> [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id 
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 
> 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx   ..V/.5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 
> 00 09:20:2

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Mark Thomas
On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
> 
> Thank you for the response!
> 
> Since the request is failing at SSL handshake, Tomcat doesn’t even record 
> anything not even the access log. I tried enabling debug at tomcat but 
> nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL
debugging, not Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


> 
> Thank you,
> Vamsi Gali
> 
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com] 
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
> proxy connection
> 
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid>
> wrote:
> 
> Hello,
> 
> Any help is appreciated on this issue.
> 
> Thank you,
> Vamsi Gali
> 
> 
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL 
> proxy connection
> 
> Hello,
> I just realized that I didn’t provide the environment info & following are 
> the details:
> 
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
> 
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
> 
> When Tomcat is accessed through webserver url, it throws ‘500’ with the 
> following stack on the IHS Error log:
> 
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 
> socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, 
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal 
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT 
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] 
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu 
> Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] 
> [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 
> 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx   ..V/.5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
> .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extensi

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
Yes, Siva. 
Both IHS & Tomcat keystores are added with correct CA certs.

Webserver Config:

Include "rewrites.conf"
SSLEnable
Include "cipher.conf"
Keyfile Key-File
# tomcat balancer and proxy section
ProxyRequests Off
SSLProxyEngine on

 
 BalancerMember https://Tomcat1:https-port/app1 route=app1_01
 BalancerMember https://Tomcat2:https-port/app1 route=app1_02

 ProxyPassReverse /app1 balancer://app1
 ProxyPass /app1 balancer://app1 stickysession=JSESSIONID|jsessionid


Tomcat SSL Connector:

  

We haven’t specified the list of ciphers for Tomcat and its set to TLS for ssl 
protocol.


Thank you,
Vamsi Gali


-Original Message-
From: shivashankar manukondu [mailto:sivasankar.m...@gmail.com] 
Sent: Wednesday, October 11, 2017 10:02 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

Hi,

Can you post the web and tomcat servers configuration files.

I hope you have added CA root certificate to the backend truststore?

Regards,
Siva

On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A < 
vamsi_a_g...@keybank.com.invalid> wrote:

> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even 
> record anything not even the access log. I tried enabling debug at 
> tomcat but nothing is captured during the request initiation.
>
> Thank you,
> Vamsi Gali
>
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
> <vamsi_a_g...@keybank.com.invalid>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish 
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following 
> are the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but 
> it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with 
> the following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: 
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] 
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake 
> Failed, Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] 
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent 
> fatal alert [level 2 (fatal), description 40 (handshake_failure)] 
> [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] 
> -> [debug]
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version 
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu 
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
> gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id 
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread shivashankar manukondu
Hi,

Can you post the web and tomcat servers configuration files.

I hope you have added CA root certificate to the backend truststore?

Regards,
Siva

On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A <
vamsi_a_g...@keybank.com.invalid> wrote:

> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even record
> anything not even the access log. I tried enabling debug at tomcat but
> nothing is captured during the request initiation.
>
> Thank you,
> Vamsi Gali
>
> -Original Message-
> From: Igor Cicimov [mailto:icici...@gmail.com]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -Original Message-
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL
> proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following are
> the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s
> in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with the
> following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2
> socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug]
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu
> Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20
> 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
> DC xx E1 xx 20 xx %..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx   ..V/.5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
> .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMC

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Gali, Vamsi A
Igor,

Thank you for the response!

Since the request is failing at SSL handshake, Tomcat doesn’t even record 
anything not even the access log. I tried enabling debug at tomcat but nothing 
is captured during the request initiation.

Thank you,
Vamsi Gali

-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com] 
Sent: Wednesday, October 11, 2017 4:09 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid>
wrote:

Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy 
connection

Hello,
I just realized that I didn’t provide the environment info & following are the 
details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in 
use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the 
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could 
not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert 
[level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> 
IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  
TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu Oct 
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] 
[debug] [client  TOMCAT-IP] gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
DC xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 
2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] 
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods 
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 00 
09:20:20 2017] [debug] [client  TOMCAT-IP]  00
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript 
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2


--
What’s done: IHS & Tomcat keystores contain required signers for proper 
communication. During the troubleshooting, I even added IHS server cert as a 
signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS u

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

2017-10-11 Thread Igor Cicimov
On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
wrote:

Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection

Hello,
I just realized that I didn’t provide the environment info & following are
the details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s
in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
alert [level 2 (fatal), description 40 (handshake_failure)]
[TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20
2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu
Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
DC xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake
transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2


--
What’s done: IHS & Tomcat keystores contain required signers for proper
communication. During the troubleshooting, I even added IHS server cert as
a signer into Tomcat keystore and vice-versa but cannot get rid of this
error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using
mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information.
It is intended solely for the use of the addressee. If you are not the
intended recipient, you are strictly prohibited from disclosing, copying,
distributing or using any of this information. If you received this
communication in error, please contact the sender immediately and destroy
the material in its entirety, whether electronic or hard copy. This
communication may contain nonpublic personal information about