The debug log produced following & it's evident that handshake is failing due
to no ciphers suites in common.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie: GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145, 53,
176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239, 53,
188, 180, 41 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
***
%% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio-xxxx-exec-2, SEND TLSv1.2 ALERT: fatal, description =
handshake_failure
http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio-xxxx-exec-2, called closeSocket()
http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio-xxxx-exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio-xxxx-exec-2, called close()
http-bio-xxxx-exec-2, called closeInternal(true)
Thank you,
Vamsi Gali
-----Original Message-----
From: Gali, Vamsi A [mailto:[email protected]]
Sent: Wednesday, October 11, 2017 11:18 AM
To: Tomcat Users List
Subject: RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection
I see what Igor has suggested and I will be reproducing the issue by adding
'-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS. Thank you!
Thank you,
Vamsi Gali
-----Original Message-----
From: Mark Thomas [mailto:[email protected]]
Sent: Wednesday, October 11, 2017 10:44 AM
To: [email protected]
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection
On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even record
> anything not even the access log. I tried enabling debug at tomcat but
> nothing is captured during the request initiation.
Re-read the suggestion. You need to enable the JRE provided SSL debugging, not
Tomcat debug logging.
Check your JVM docs for you to do that.
Marjk
>
> Thank you,
> Vamsi Gali
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[email protected]]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A"
> <[email protected]>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following are
> the details:
>
> Tomcat: apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in
> use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with the
> following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS:
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60]
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug]
> [client TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] <client_hello> [Thu
> Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu
> Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 2017]
> [debug] [client TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 9xxxxxx
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] x1 91 19 08 25 xx
> DC xx E1 xx 20 xx ....%..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id
> [Thu Oct
> 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 09:20:20
> 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx ..V..../.5....
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] compression_methods
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 01 [Thu Oct
> 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00
> .
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions
> [Thu Oct
> 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake
> transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> ------------------------------------------------------------
> ------------------------------------------------------------
> --------------------------
> What’s done: IHS & Tomcat keystores contain required signers for proper
> communication. During the troubleshooting, I even added IHS server cert as a
> signer into Tomcat keystore and vice-versa but cannot get rid of this error.
> Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
>
> Has anyone ran into similar issues? Or ever tried Tomcat with IHS using
> mod_proxy module?
>
>
> Thank you,
> Vamsi Gali
>
>
> This communication may contain privileged and/or confidential information.
> It is intended solely for the use of the addressee. If you are not the
> intended recipient, you are strictly prohibited from disclosing, copying,
> distributing or using any of this information. If you received this
> communication in error, please contact the sender immediately and destroy the
> material in its entirety, whether electronic or hard copy. This communication
> may contain nonpublic personal information about consumers subject to the
> restrictions of the Gramm-Leach-Bliley Act. You may not directly or
> indirectly reuse or redisclose such information for any purpose other than to
> provide the services for which you are receiving the information.
>
> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
> future e-mail offers for products or services from Key send an e-mail to
> mailto:[email protected] with 'No Promotional E-mails'
> in the
> SUBJECT line.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
> Well what does tomcat log say? You can add java debug ssl option to JAVA_OPTS
> in the default tomcat config file maybe it will give you a clue.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
�B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB � �[
X ܚX K��K[XZ[
�\ \ ][ X ܚX P�� X ]
\�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[
�\ \ Z�[���� X ]
\�X �K ܙ B
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
