Hi, Can you post the web and tomcat servers configuration files.
I hope you have added CA root certificate to the backend truststore? Regards, Siva On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A < vamsi_a_g...@keybank.com.invalid> wrote: > Igor, > > Thank you for the response! > > Since the request is failing at SSL handshake, Tomcat doesn’t even record > anything not even the access log. I tried enabling debug at tomcat but > nothing is captured during the request initiation. > > Thank you, > Vamsi Gali > > -----Original Message----- > From: Igor Cicimov [mailto:icici...@gmail.com] > Sent: Wednesday, October 11, 2017 4:09 AM > To: Tomcat Users List > Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish > SSL proxy connection > > On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid> > wrote: > > Hello, > > Any help is appreciated on this issue. > > Thank you, > Vamsi Gali > > > -----Original Message----- > From: Gali, Vamsi A > Sent: Thursday, October 05, 2017 12:03 PM > To: 'Tomcat Users List' > Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL > proxy connection > > Hello, > I just realized that I didn’t provide the environment info & following are > the details: > > Tomcat: apache-tomcat-7.0.75 > IHS: HIS v8.5.5.x > OS: RHEL > > We have IHS→mod_proxy(on IHS) → Tomcat. > I know that IHS isn’t the suggested webserver to use with Tomcat but it’s > in use. > [error] SSL0266E: Handshake Failed, Could not establish SSL proxy > connection > > When Tomcat is accessed through webserver url, it throws ‘500’ with the > following stack on the IHS Error log: > > [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 > socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] > proxy_util.c(2419): proxy: HTTPS: connection complete to TOMCAT-IP:PORT > (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, > Could not establish SSL proxy connection. > [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] > SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal > alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT > -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] > [client TOMCAT-IP] [7fa404014a60] Handshake transcript: > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] <client_hello> > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu > Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 > 2017] [debug] [client TOMCAT-IP] gsksslDissector_32Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 9xxxxxx > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > gsksslDissector_Opaque > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 28 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 1x 62 xx B3 1F 44 > xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] x1 91 19 08 25 xx > DC xx E1 xx 20 xx ....%..o.9 x > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx > 00 xx 00 xx 00 xx 00 xx ..V..../.5.... > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_ > rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_ > rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00 > . > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake > transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: > HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] > proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2 > ------------------------------------------------------------ > ------------------------------------------------------------ > -------------------------- > What’s done: IHS & Tomcat keystores contain required signers for proper > communication. During the troubleshooting, I even added IHS server cert as > a signer into Tomcat keystore and vice-versa but cannot get rid of this > error. > Also, tried restricting both IHS & Tomcat to use TLSv1 but no success. > > Has anyone ran into similar issues? Or ever tried Tomcat with IHS using > mod_proxy module? > > > Thank you, > Vamsi Gali > > > This communication may contain privileged and/or confidential information. > It is intended solely for the use of the addressee. If you are not the > intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. This > communication may contain nonpublic personal information about consumers > subject to the restrictions of the Gramm-Leach-Bliley Act. You may not > directly or indirectly reuse or redisclose such information for any purpose > other than to provide the services for which you are receiving the > information. > > 127 Public Square, Cleveland, OH 44114 > If you prefer not to receive future e-mail offers for products or services > from Key send an e-mail to mailto:dnereque...@key.com with 'No > Promotional E-mails' > in the > SUBJECT line. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Well what does tomcat log say? You can add java debug ssl option to > JAVA_OPTS in the default tomcat config file maybe it will give you a clue. > -- Regards Siva #068860592040
