[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
Hello,

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created to connect to TOMCAT2
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT (TOMCAT2)
[Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)]  [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello>
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44 xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx DC xx E1 xx 20 xx                 ....%..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00                                                  .
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: pre_connection setup failed (500)
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
--------------------------------------------------------------------------------------------------------------------------------------------------
What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or eve tried Tomcat with IHS using mod_proxy module?


Thank you,
Vamsi Gali
Web Systems Services
Ph: 214-416-3128




This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.

127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from Key
send an e-mail to mailto:[hidden email] with 'No Promotional E-mails' in the
SUBJECT line.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
Hello,
I just realized that I didn’t provide the environment info & following are the details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)]  [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44 xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx DC xx E1 xx 20 xx                 ....%..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00                                                  .
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
--------------------------------------------------------------------------------------------------------------------------------------------------
What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.

127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from Key
send an e-mail to mailto:[hidden email] with 'No Promotional E-mails' in the
SUBJECT line.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
In reply to this post by Gali, Vamsi A
Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-----Original Message-----
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Hello,
I just realized that I didn’t provide the environment info & following are the details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)]  [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44 xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx DC xx E1 xx 20 xx                 ....%..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00                                                  .
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
--------------------------------------------------------------------------------------------------------------------------------------------------
What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.

127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from Key
send an e-mail to mailto:[hidden email] with 'No Promotional E-mails' in the
SUBJECT line.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Igor Cicimov
On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <[hidden email]>
wrote:

Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-----Original Message-----
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection

Hello,
I just realized that I didn’t provide the environment info & following are
the details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s
in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
alert [level 2 (fatal), description 40 (handshake_failure)]
[TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20
2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello> [Thu
Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx
DC xx E1 xx 20 xx                 ....%..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx           ..V..../.5....
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
                                .
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake
transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
------------------------------------------------------------
------------------------------------------------------------
--------------------------
What’s done: IHS & Tomcat keystores contain required signers for proper
communication. During the troubleshooting, I even added IHS server cert as
a signer into Tomcat keystore and vice-versa but cannot get rid of this
error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using
mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information.
It is intended solely for the use of the addressee. If you are not the
intended recipient, you are strictly prohibited from disclosing, copying,
distributing or using any of this information. If you received this
communication in error, please contact the sender immediately and destroy
the material in its entirety, whether electronic or hard copy. This
communication may contain nonpublic personal information about consumers
subject to the restrictions of the Gramm-Leach-Bliley Act. You may not
directly or indirectly reuse or redisclose such information for any purpose
other than to provide the services for which you are receiving the
information.

127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services
from Key
send an e-mail to mailto:[hidden email] with 'No Promotional E-mails'
in the
SUBJECT line.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Well what does tomcat log say? You can add java debug ssl option to
JAVA_OPTS in the default tomcat config file maybe it will give you a clue.
Reply | Threaded
Open this post in threaded view
|

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
Igor,

Thank you for the response!

Since the request is failing at SSL handshake, Tomcat doesn’t even record anything not even the access log. I tried enabling debug at tomcat but nothing is captured during the request initiation.

Thank you,
Vamsi Gali

-----Original Message-----
From: Igor Cicimov [mailto:[hidden email]]
Sent: Wednesday, October 11, 2017 4:09 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <[hidden email]>
wrote:

Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-----Original Message-----
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Hello,
I just realized that I didn’t provide the environment info & following are the details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx
DC xx E1 xx 20 xx                 ....%..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx           ..V..../.5....
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
                                .
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
------------------------------------------------------------
------------------------------------------------------------
--------------------------
What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information.
It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.

127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:[hidden email] with 'No Promotional E-mails'
in the
SUBJECT line.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Well what does tomcat log say? You can add java debug ssl option to JAVA_OPTS in the default tomcat config file maybe it will give you a clue.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

shivashankar manukondu
Hi,

Can you post the web and tomcat servers configuration files.

I hope you have added CA root certificate to the backend truststore?

Regards,
Siva

On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A <
[hidden email]> wrote:

> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even record
> anything not even the access log. I tried enabling debug at tomcat but
> nothing is captured during the request initiation.
>
> Thank you,
> Vamsi Gali
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[hidden email]]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <[hidden email]>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL
> proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following are
> the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s
> in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with the
> following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2
> socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
> Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
> alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug]
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello>
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu
> Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20
> 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx
> DC xx E1 xx 20 xx                 ....%..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
>                                 .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake
> transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> ------------------------------------------------------------
> ------------------------------------------------------------
> --------------------------
> What’s done: IHS & Tomcat keystores contain required signers for proper
> communication. During the troubleshooting, I even added IHS server cert as
> a signer into Tomcat keystore and vice-versa but cannot get rid of this
> error.
> Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
>
> Has anyone ran into similar issues? Or ever tried Tomcat with IHS using
> mod_proxy module?
>
>
> Thank you,
> Vamsi Gali
>
>
> This communication may contain privileged and/or confidential information.
> It is intended solely for the use of the addressee. If you are not the
> intended recipient, you are strictly prohibited from disclosing, copying,
> distributing or using any of this information. If you received this
> communication in error, please contact the sender immediately and destroy
> the material in its entirety, whether electronic or hard copy. This
> communication may contain nonpublic personal information about consumers
> subject to the restrictions of the Gramm-Leach-Bliley Act. You may not
> directly or indirectly reuse or redisclose such information for any purpose
> other than to provide the services for which you are receiving the
> information.
>
> 127 Public Square, Cleveland, OH 44114
> If you prefer not to receive future e-mail offers for products or services
> from Key send an e-mail to mailto:[hidden email] with 'No
> Promotional E-mails'
> in the
> SUBJECT line.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
> Well what does tomcat log say? You can add java debug ssl option to
> JAVA_OPTS in the default tomcat config file maybe it will give you a clue.
>



--

Regards
Siva
#068860592040
Reply | Threaded
Open this post in threaded view
|

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
Yes, Siva.
Both IHS & Tomcat keystores are added with correct CA certs.

Webserver Config:

Include "rewrites.conf"
        SSLEnable
        Include "cipher.conf"
        Keyfile Key-File
        # tomcat balancer and proxy section
        ProxyRequests Off
        SSLProxyEngine on

 <Proxy balancer://app1>
         BalancerMember <a href="https://Tomcat1:https-port/app1">https://Tomcat1:https-port/app1 route=app1_01
         BalancerMember <a href="https://Tomcat2:https-port/app1">https://Tomcat2:https-port/app1 route=app1_02
        </Proxy>
         ProxyPassReverse /app1 balancer://app1
         ProxyPass /app1 balancer://app1 stickysession=JSESSIONID|jsessionid


Tomcat SSL Connector:

  <Connector port="xxxx" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               maxHttpHeaderSize="111111"
               keystoreFile="keystore"
               keystorePass="xxxxxx" />

We haven’t specified the list of ciphers for Tomcat and its set to TLS for ssl protocol.


Thank you,
Vamsi Gali


-----Original Message-----
From: shivashankar manukondu [mailto:[hidden email]]
Sent: Wednesday, October 11, 2017 10:02 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Hi,

Can you post the web and tomcat servers configuration files.

I hope you have added CA root certificate to the backend truststore?

Regards,
Siva

On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A < [hidden email]> wrote:

> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even
> record anything not even the access log. I tried enabling debug at
> tomcat but nothing is captured during the request initiation.
>
> Thank you,
> Vamsi Gali
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[hidden email]]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A"
> <[hidden email]>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following
> are the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but
> it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with
> the following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS:
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake
> Failed, Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60]
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent
> fatal alert [level 2 (fatal), description 40 (handshake_failure)]
> [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017]
> -> [debug]
> [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello>
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx
> DC xx E1 xx 20 xx                 ....%..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  
> TOMCAT-IP]
> Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
>                                 .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake
> transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> ------------------------------------------------------------
> ------------------------------------------------------------
> --------------------------
> What’s done: IHS & Tomcat keystores contain required signers for
> proper communication. During the troubleshooting, I even added IHS
> server cert as a signer into Tomcat keystore and vice-versa but cannot
> get rid of this error.
> Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
>
> Has anyone ran into similar issues? Or ever tried Tomcat with IHS
> using mod_proxy module?
>
>
> Thank you,
> Vamsi Gali
>
>
> This communication may contain privileged and/or confidential information.
> It is intended solely for the use of the addressee. If you are not the
> intended recipient, you are strictly prohibited from disclosing,
> copying, distributing or using any of this information. If you
> received this communication in error, please contact the sender
> immediately and destroy the material in its entirety, whether
> electronic or hard copy. This communication may contain nonpublic
> personal information about consumers subject to the restrictions of
> the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse
> or redisclose such information for any purpose other than to provide
> the services for which you are receiving the information.
>
> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
> future e-mail offers for products or services from Key send an e-mail
> to mailto:[hidden email] with 'No Promotional E-mails'
> in the
> SUBJECT line.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
> Well what does tomcat log say? You can add java debug ssl option to
> JAVA_OPTS in the default tomcat config file maybe it will give you a clue.
>



--

Regards
Siva
#068860592040

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

markt
In reply to this post by Gali, Vamsi A
On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even record anything not even the access log. I tried enabling debug at tomcat but nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL
debugging, not Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


>
> Thank you,
> Vamsi Gali
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[hidden email]]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <[hidden email]>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following are the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx
> DC xx E1 xx 20 xx                 ....%..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
>                                 .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> ------------------------------------------------------------
> ------------------------------------------------------------
> --------------------------
> What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error.
> Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
>
> Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module?
>
>
> Thank you,
> Vamsi Gali
>
>
> This communication may contain privileged and/or confidential information.
> It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
>
> 127 Public Square, Cleveland, OH 44114
> If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:[hidden email] with 'No Promotional E-mails'
> in the
> SUBJECT line.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
> Well what does tomcat log say? You can add java debug ssl option to JAVA_OPTS in the default tomcat config file maybe it will give you a clue.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
I see what Igor has suggested and I will be reproducing the issue by adding  '-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS.  Thank you!

Thank you,
Vamsi Gali


-----Original Message-----
From: Mark Thomas [mailto:[hidden email]]
Sent: Wednesday, October 11, 2017 10:44 AM
To: [hidden email]
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even record anything not even the access log. I tried enabling debug at tomcat but nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL debugging, not Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


>
> Thank you,
> Vamsi Gali
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[hidden email]]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A"
> <[hidden email]>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following are the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS:
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to  
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60]
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx
> DC xx E1 xx 20 xx                 ....%..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
>                                 .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> ------------------------------------------------------------
> ------------------------------------------------------------
> --------------------------
> What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error.
> Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
>
> Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module?
>
>
> Thank you,
> Vamsi Gali
>
>
> This communication may contain privileged and/or confidential information.
> It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
>
> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
> future e-mail offers for products or services from Key send an e-mail to mailto:[hidden email] with 'No Promotional E-mails'
> in the
> SUBJECT line.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
> Well what does tomcat log say? You can add java debug ssl option to JAVA_OPTS in the default tomcat config file maybe it will give you a clue.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
The debug log produced following & it's evident that handshake is failing due to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio-xxxx-exec-2, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio-xxxx-exec-2, called closeSocket()
http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio-xxxx-exec-2, IOException in getSession():  javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio-xxxx-exec-2, called close()
http-bio-xxxx-exec-2, called closeInternal(true)

Thank you,
Vamsi Gali


-----Original Message-----
From: Gali, Vamsi A [mailto:[hidden email]]
Sent: Wednesday, October 11, 2017 11:18 AM
To: Tomcat Users List
Subject: RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

I see what Igor has suggested and I will be reproducing the issue by adding  '-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS.  Thank you!

Thank you,
Vamsi Gali


-----Original Message-----
From: Mark Thomas [mailto:[hidden email]]
Sent: Wednesday, October 11, 2017 10:44 AM
To: [hidden email]
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

On 11/10/2017 14:05, Gali, Vamsi A wrote:
> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even record anything not even the access log. I tried enabling debug at tomcat but nothing is captured during the request initiation.

Re-read the suggestion. You need to enable the JRE provided SSL debugging, not Tomcat debug logging.

Check your JVM docs for you to do that.

Marjk


>
> Thank you,
> Vamsi Gali
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[hidden email]]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A"
> <[hidden email]>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following are the details:
>
> Tomcat:  apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS:
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60]
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  <client_hello> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    03
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu
> Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  random [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    9xxxxxx
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9     .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]    x1 91 19 08 25 xx
> DC xx E1 xx 20 xx                 ....%..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx           ..V..../.5....
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
>                                 .
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions
> [Thu Oct
> 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> ------------------------------------------------------------
> ------------------------------------------------------------
> --------------------------
> What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error.
> Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
>
> Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module?
>
>
> Thank you,
> Vamsi Gali
>
>
> This communication may contain privileged and/or confidential information.
> It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
>
> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
> future e-mail offers for products or services from Key send an e-mail to mailto:[hidden email] with 'No Promotional E-mails'
> in the
> SUBJECT line.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
> Well what does tomcat log say? You can add java debug ssl option to JAVA_OPTS in the default tomcat config file maybe it will give you a clue.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Igor Cicimov
On 12 Oct 2017 8:25 am, "Gali, Vamsi A" <[hidden email]>
wrote:

The debug log produced following & it's evident that handshake is failing
due to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145,
53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239,
53, 188, 180, 41 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio-xxxx-exec-2, SEND TLSv1.2 ALERT:  fatal, description =
handshake_failure
http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio-xxxx-exec-2, called closeSocket()



http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio-xxxx-exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException:
no cipher suites in common


There you go, no comment needed.
Reply | Threaded
Open this post in threaded view
|

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Igor Cicimov
On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <[hidden email]> wrote:

> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" <[hidden email]>
> wrote:
>
> The debug log produced following & it's evident that handshake is failing
> due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 13,
> 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96,
> 238, 97, 6, 240, 239, 53, 188, 180, 41 }
> Session ID:  {}
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_RC4_128_MD5]
> Compression Methods:  { 0 }
> ***
> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
> %% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
> http-bio-xxxx-exec-2, SEND TLSv1.2 ALERT:  fatal, description =
> handshake_failure
> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
> http-bio-xxxx-exec-2, called closeSocket()
>
>
>
> http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio-xxxx-exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS
offers TLSv1.2 ciphers but tomcat does not support them so maybe you are
running an outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher
suits that JVM will use (and I think I've seen one from Christopher
Schultz). The tool should provide you with output like this:

$ java Ciphers
Default    Cipher
     SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
     SSL_DHE_DSS_WITH_DES_CBC_SHA
     SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
     SSL_DHE_RSA_WITH_DES_CBC_SHA
     SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
     SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
     SSL_DH_anon_WITH_DES_CBC_SHA
     SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*    SSL_RSA_WITH_3DES_EDE_CBC_SHA
     SSL_RSA_WITH_DES_CBC_SHA
     SSL_RSA_WITH_NULL_MD5
     SSL_RSA_WITH_NULL_SHA
*    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_DH_anon_WITH_AES_128_CBC_SHA
     TLS_DH_anon_WITH_AES_128_CBC_SHA256
     TLS_DH_anon_WITH_AES_128_GCM_SHA256
...

then pick up one of the supported default ciphers (marked with star) and
use it in IHS (as it is or translated in IHS way, no idea about that) so
you get a match. I know nothing about IHS so can't help there.

If that doesn't work then I would say IHS does some funky stuff with the
cipher suites in a way that tomcat can't understand them.

Igor
Reply | Threaded
Open this post in threaded view
|

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
Igor,
Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there is a cipher mismatch. We have Tam directly connecting to Tomcat and the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java supports.

Thank you,
Vamsi Gali


-----Original Message-----
From: Igor Cicimov [mailto:[hidden email]]
Sent: Wednesday, October 11, 2017 7:33 PM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <[hidden email]> wrote:

> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
> <[hidden email]>
> wrote:
>
> The debug log produced following & it's evident that handshake is
> failing due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring
> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite:
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite:
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite:
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite:
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite:
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite:
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite:
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95,
> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214,
> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {}
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
> ***
> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:  
> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
> TLSv1.2 ALERT:  fatal, description = handshake_failure
> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
> http-bio-xxxx-exec-2, called closeSocket()
>
>
>
> http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio-xxxx-exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS offers TLSv1.2 ciphers but tomcat does not support them so maybe you are running an outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher suits that JVM will use (and I think I've seen one from Christopher Schultz). The tool should provide you with output like this:

$ java Ciphers
Default    Cipher
     SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
     SSL_DHE_DSS_WITH_DES_CBC_SHA
     SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
     SSL_DHE_RSA_WITH_DES_CBC_SHA
     SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
     SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
     SSL_DH_anon_WITH_DES_CBC_SHA
     SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*    SSL_RSA_WITH_3DES_EDE_CBC_SHA
     SSL_RSA_WITH_DES_CBC_SHA
     SSL_RSA_WITH_NULL_MD5
     SSL_RSA_WITH_NULL_SHA
*    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_DH_anon_WITH_AES_128_CBC_SHA
     TLS_DH_anon_WITH_AES_128_CBC_SHA256
     TLS_DH_anon_WITH_AES_128_GCM_SHA256
...

then pick up one of the supported default ciphers (marked with star) and use it in IHS (as it is or translated in IHS way, no idea about that) so you get a match. I know nothing about IHS so can't help there.

If that doesn't work then I would say IHS does some funky stuff with the cipher suites in a way that tomcat can't understand them.

Igor


This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.

127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from Key
send an e-mail to mailto:[hidden email] with 'No Promotional E-mails' in the
SUBJECT line.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

André Warnier (tomcat)
And for the rest of us dummies trying to follow this conversation, what might "IHS" be ?
Whatever Google returns doesn't seem really relevant.

On 12.10.2017 15:25, Gali, Vamsi A wrote:

> Igor,
> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there is a cipher mismatch. We have Tam directly connecting to Tomcat and the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java supports.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[hidden email]]
> Sent: Wednesday, October 11, 2017 7:33 PM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
>
> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <[hidden email]> wrote:
>
>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>> <[hidden email]>
>> wrote:
>>
>> The debug log produced following & it's evident that handshake is
>> failing due to no ciphers suites in common.
>>
>> Allow unsafe renegotiation: false
>> Allow legacy hello messages: true
>> Is initial handshake: true
>> Is secure renegotiation: false
>> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring
>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> for TLSv1
>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> for TLSv1.1
>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>> for TLSv1.1
>> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
>> *** ClientHello, TLSv1.2
>> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95,
>> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214,
>> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {}
>> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
>> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
>> ***
>> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
>> TLSv1.2 ALERT:  fatal, description = handshake_failure
>> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
>> http-bio-xxxx-exec-2, called closeSocket()
>>
>>
>>
>> http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
>> no cipher suites in common
>> http-bio-xxxx-exec-2, IOException in getSession():
>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>
>>
>> There you go, no comment needed.
>>
>> Also, since you are using JSSE in your tomcat connector, you never
> mentioned the Java version you are using? From the logs looks like IHS offers TLSv1.2 ciphers but tomcat does not support them so maybe you are running an outdated version of Java, maybe 1.6?
>
> There some tools out there you can use to find the default SSL/TLS cipher suits that JVM will use (and I think I've seen one from Christopher Schultz). The tool should provide you with output like this:
>
> $ java Ciphers
> Default    Cipher
>       SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> *    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>       SSL_DHE_DSS_WITH_DES_CBC_SHA
>       SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> *    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>       SSL_DHE_RSA_WITH_DES_CBC_SHA
>       SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>       SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>       SSL_DH_anon_WITH_DES_CBC_SHA
>       SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
> *    SSL_RSA_WITH_3DES_EDE_CBC_SHA
>       SSL_RSA_WITH_DES_CBC_SHA
>       SSL_RSA_WITH_NULL_MD5
>       SSL_RSA_WITH_NULL_SHA
> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> *    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> *    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>       TLS_DH_anon_WITH_AES_128_CBC_SHA
>       TLS_DH_anon_WITH_AES_128_CBC_SHA256
>       TLS_DH_anon_WITH_AES_128_GCM_SHA256
> ...
>
> then pick up one of the supported default ciphers (marked with star) and use it in IHS (as it is or translated in IHS way, no idea about that) so you get a match. I know nothing about IHS so can't help there.
>
> If that doesn't work then I would say IHS does some funky stuff with the cipher suites in a way that tomcat can't understand them.
>
> Igor
>
>
> This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
>
> 127 Public Square, Cleveland, OH 44114
> If you prefer not to receive future e-mail offers for products or services from Key
> send an e-mail to mailto:[hidden email] with 'No Promotional E-mails' in the
> SUBJECT line.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
:)
IHS is IBM HTTP Server.

Thank you,


-----Original Message-----
From: André Warnier (tomcat) [mailto:[hidden email]]
Sent: Thursday, October 12, 2017 9:32 AM
To: [hidden email]
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

And for the rest of us dummies trying to follow this conversation, what might "IHS" be ?
Whatever Google returns doesn't seem really relevant.

On 12.10.2017 15:25, Gali, Vamsi A wrote:

> Igor,
> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there is a cipher mismatch. We have Tam directly connecting to Tomcat and the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java supports.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[hidden email]]
> Sent: Wednesday, October 11, 2017 7:33 PM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <[hidden email]> wrote:
>
>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>> <[hidden email]>
>> wrote:
>>
>> The debug log produced following & it's evident that handshake is
>> failing due to no ciphers suites in common.
>>
>> Allow unsafe renegotiation: false
>> Allow legacy hello messages: true
>> Is initial handshake: true
>> Is secure renegotiation: false
>> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring
>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>> for TLSv1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> for TLSv1.1
>> Ignoring unsupported cipher suite:
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>> for TLSv1.1
>> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
>> *** ClientHello, TLSv1.2
>> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95,
>> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214,
>> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {}
>> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
>> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
>> ***
>> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
>> TLSv1.2 ALERT:  fatal, description = handshake_failure
>> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
>> http-bio-xxxx-exec-2, called closeSocket()
>>
>>
>>
>> http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
>> no cipher suites in common
>> http-bio-xxxx-exec-2, IOException in getSession():
>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>
>>
>> There you go, no comment needed.
>>
>> Also, since you are using JSSE in your tomcat connector, you never
> mentioned the Java version you are using? From the logs looks like IHS offers TLSv1.2 ciphers but tomcat does not support them so maybe you are running an outdated version of Java, maybe 1.6?
>
> There some tools out there you can use to find the default SSL/TLS cipher suits that JVM will use (and I think I've seen one from Christopher Schultz). The tool should provide you with output like this:
>
> $ java Ciphers
> Default    Cipher
>       SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> *    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>       SSL_DHE_DSS_WITH_DES_CBC_SHA
>       SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> *    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>       SSL_DHE_RSA_WITH_DES_CBC_SHA
>       SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>       SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>       SSL_DH_anon_WITH_DES_CBC_SHA
>       SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
> *    SSL_RSA_WITH_3DES_EDE_CBC_SHA
>       SSL_RSA_WITH_DES_CBC_SHA
>       SSL_RSA_WITH_NULL_MD5
>       SSL_RSA_WITH_NULL_SHA
> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> *    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> *    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>       TLS_DH_anon_WITH_AES_128_CBC_SHA
>       TLS_DH_anon_WITH_AES_128_CBC_SHA256
>       TLS_DH_anon_WITH_AES_128_GCM_SHA256
> ...
>
> then pick up one of the supported default ciphers (marked with star) and use it in IHS (as it is or translated in IHS way, no idea about that) so you get a match. I know nothing about IHS so can't help there.
>
> If that doesn't work then I would say IHS does some funky stuff with the cipher suites in a way that tomcat can't understand them.
>
> Igor
>
>
> This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
>
> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
> future e-mail offers for products or services from Key send an e-mail
> to mailto:[hidden email] with 'No Promotional E-mails' in the
> SUBJECT line.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

André Warnier (tomcat)
On 12.10.2017 15:33, Gali, Vamsi A wrote:
> :)
> IHS is IBM HTTP Server.
>
> Thank you,

Thank you too. I feel a lot less like a dummy now.
And after reading a bit on "IHS" now, it would seem that this is at least 90% Apache httpd
2.2, which may make it clearer to other people that maybe they could help too.

>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:[hidden email]]
> Sent: Thursday, October 12, 2017 9:32 AM
> To: [hidden email]
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
>
> And for the rest of us dummies trying to follow this conversation, what might "IHS" be ?
> Whatever Google returns doesn't seem really relevant.
>
> On 12.10.2017 15:25, Gali, Vamsi A wrote:
>> Igor,
>> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there is a cipher mismatch. We have Tam directly connecting to Tomcat and the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java supports.
>>
>> Thank you,
>> Vamsi Gali
>>
>>
>> -----Original Message-----
>> From: Igor Cicimov [mailto:[hidden email]]
>> Sent: Wednesday, October 11, 2017 7:33 PM
>> To: Tomcat Users List
>> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
>> establish SSL proxy connection
>>
>> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <[hidden email]> wrote:
>>
>>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>>> <[hidden email]>
>>> wrote:
>>>
>>> The debug log produced following & it's evident that handshake is
>>> failing due to no ciphers suites in common.
>>>
>>> Allow unsafe renegotiation: false
>>> Allow legacy hello messages: true
>>> Is initial handshake: true
>>> Is secure renegotiation: false
>>> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring
>>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
>>> *** ClientHello, TLSv1.2
>>> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95,
>>> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214,
>>> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  {}
>>> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
>>> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
>>> ***
>>> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
>>> TLSv1.2 ALERT:  fatal, description = handshake_failure
>>> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
>>> http-bio-xxxx-exec-2, called closeSocket()
>>>
>>>
>>>
>>> http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
>>> no cipher suites in common
>>> http-bio-xxxx-exec-2, IOException in getSession():
>>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>>
>>>
>>> There you go, no comment needed.
>>>
>>> Also, since you are using JSSE in your tomcat connector, you never
>> mentioned the Java version you are using? From the logs looks like IHS offers TLSv1.2 ciphers but tomcat does not support them so maybe you are running an outdated version of Java, maybe 1.6?
>>
>> There some tools out there you can use to find the default SSL/TLS cipher suits that JVM will use (and I think I've seen one from Christopher Schultz). The tool should provide you with output like this:
>>
>> $ java Ciphers
>> Default    Cipher
>>        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>>        SSL_DHE_DSS_WITH_DES_CBC_SHA
>>        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>        SSL_DHE_RSA_WITH_DES_CBC_SHA
>>        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>>        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>>        SSL_DH_anon_WITH_DES_CBC_SHA
>>        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_RSA_WITH_3DES_EDE_CBC_SHA
>>        SSL_RSA_WITH_DES_CBC_SHA
>>        SSL_RSA_WITH_NULL_MD5
>>        SSL_RSA_WITH_NULL_SHA
>> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
>> *    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
>> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> *    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>        TLS_DH_anon_WITH_AES_128_CBC_SHA
>>        TLS_DH_anon_WITH_AES_128_CBC_SHA256
>>        TLS_DH_anon_WITH_AES_128_GCM_SHA256
>> ...
>>
>> then pick up one of the supported default ciphers (marked with star) and use it in IHS (as it is or translated in IHS way, no idea about that) so you get a match. I know nothing about IHS so can't help there.
>>
>> If that doesn't work then I would say IHS does some funky stuff with the cipher suites in a way that tomcat can't understand them.
>>
>> Igor
>>
>>
>> This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
>>
>> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
>> future e-mail offers for products or services from Key send an e-mail
>> to mailto:[hidden email] with 'No Promotional E-mails' in the
>> SUBJECT line.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A
This issue is now RESOLVED.

On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only had 2 TLS ciphers that are no compatible with Tomcat TLV1.2. So I added '' TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf by looking at this: https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html and IHS can communicate with Tomcat W/O any issues. Woohoo!

The reason I picked the above cipher is because it's one the list of ciphers tomcat's JVM supports.

Igor, I couldn’t use one of the java based cipher tool so used a small script to get a list of ciphers available for a jvm(this can be used for any Linux server as long as openssl is available):

#!/bin/sh
for v in tls1_2; do
   for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
     openssl s_client -connect  SERVERNAME:https_port \
       -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
   done
 done

I executed above script to find out a list of ciphers on Tomcat's jvm and based on that I chose to use TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.

I appreciate all the help on finding me the true issue!

Thank you,
Vamsi Gali


-----Original Message-----
From: André Warnier (tomcat) [mailto:[hidden email]]
Sent: Thursday, October 12, 2017 10:05 AM
To: [hidden email]
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

On 12.10.2017 15:33, Gali, Vamsi A wrote:
> :)
> IHS is IBM HTTP Server.
>
> Thank you,

Thank you too. I feel a lot less like a dummy now.
And after reading a bit on "IHS" now, it would seem that this is at least 90% Apache httpd 2.2, which may make it clearer to other people that maybe they could help too.

>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:[hidden email]]
> Sent: Thursday, October 12, 2017 9:32 AM
> To: [hidden email]
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> And for the rest of us dummies trying to follow this conversation, what might "IHS" be ?
> Whatever Google returns doesn't seem really relevant.
>
> On 12.10.2017 15:25, Gali, Vamsi A wrote:
>> Igor,
>> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there is a cipher mismatch. We have Tam directly connecting to Tomcat and the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java supports.
>>
>> Thank you,
>> Vamsi Gali
>>
>>
>> -----Original Message-----
>> From: Igor Cicimov [mailto:[hidden email]]
>> Sent: Wednesday, October 11, 2017 7:33 PM
>> To: Tomcat Users List
>> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
>> establish SSL proxy connection
>>
>> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <[hidden email]> wrote:
>>
>>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>>> <[hidden email]>
>>> wrote:
>>>
>>> The debug log produced following & it's evident that handshake is
>>> failing due to no ciphers suites in common.
>>>
>>> Allow unsafe renegotiation: false
>>> Allow legacy hello messages: true
>>> Is initial handshake: true
>>> Is secure renegotiation: false
>>> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring
>>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
>>> *** ClientHello, TLSv1.2
>>> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199,
>>> 95, 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104,
>>> 214, 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  
>>> {} Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown
>>> 0x56:0x0, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
>>> ***
>>> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
>>> TLSv1.2 ALERT:  fatal, description = handshake_failure
>>> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
>>> http-bio-xxxx-exec-2, called closeSocket()
>>>
>>>
>>>
>>> http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
>>> no cipher suites in common
>>> http-bio-xxxx-exec-2, IOException in getSession():
>>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>>
>>>
>>> There you go, no comment needed.
>>>
>>> Also, since you are using JSSE in your tomcat connector, you never
>> mentioned the Java version you are using? From the logs looks like IHS offers TLSv1.2 ciphers but tomcat does not support them so maybe you are running an outdated version of Java, maybe 1.6?
>>
>> There some tools out there you can use to find the default SSL/TLS cipher suits that JVM will use (and I think I've seen one from Christopher Schultz). The tool should provide you with output like this:
>>
>> $ java Ciphers
>> Default    Cipher
>>        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>>        SSL_DHE_DSS_WITH_DES_CBC_SHA
>>        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>        SSL_DHE_RSA_WITH_DES_CBC_SHA
>>        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>>        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>>        SSL_DH_anon_WITH_DES_CBC_SHA
>>        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_RSA_WITH_3DES_EDE_CBC_SHA
>>        SSL_RSA_WITH_DES_CBC_SHA
>>        SSL_RSA_WITH_NULL_MD5
>>        SSL_RSA_WITH_NULL_SHA
>> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
>> *    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
>> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> *    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>        TLS_DH_anon_WITH_AES_128_CBC_SHA
>>        TLS_DH_anon_WITH_AES_128_CBC_SHA256
>>        TLS_DH_anon_WITH_AES_128_GCM_SHA256
>> ...
>>
>> then pick up one of the supported default ciphers (marked with star) and use it in IHS (as it is or translated in IHS way, no idea about that) so you get a match. I know nothing about IHS so can't help there.
>>
>> If that doesn't work then I would say IHS does some funky stuff with the cipher suites in a way that tomcat can't understand them.
>>
>> Igor
>>
>>
>> This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
>>
>> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
>> future e-mail offers for products or services from Key send an e-mail
>> to mailto:[hidden email] with 'No Promotional E-mails' in the
>> SUBJECT line.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Vamsi,

On 10/12/17 11:06 AM, Gali, Vamsi A wrote:
> This issue is now RESOLVED.

Great.

> On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only
> had 2 TLS ciphers that are no compatible with Tomcat TLV1.2. So I
> added '' TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf
> by looking at this:
> https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.we
bsphere.ihs.doc/ihs/rihs_ciphspec.html
> and IHS can communicate with Tomcat W/O any issues. Woohoo!
>
> The reason I picked the above cipher is because it's one the list
> of ciphers tomcat's JVM supports.

I would recommend that you configure IHS to support *multiple* cipher
suites instead of just the one. I would also recommend using GCM mode
instead of CBC mode if you can do so.

> Igor, I couldn’t use one of the java based cipher tool so used a
> small script to get a list of ciphers available for a jvm(this can
> be used for any Linux server as long as openssl is available):>
> #!/bin/sh for v in tls1_2; do for c in $(openssl ciphers
> 'ALL:eNULL' | tr ':' ' '); do openssl s_client -connect
> SERVERNAME:https_port \ -cipher $c -$v < /dev/null > /dev/null 2>&1
> && echo -e "$v:\t$c" done done

The output of the above command has absolutely nothing to do with the
cipher suites Java supports. In order to determine what Java supports,
you must use a Java-based tool.

(Unless you are using APR, but you are clearly using Java BIO.)

> I executed above script to find out a list of ciphers on Tomcat's
> jvm and based on that I chose to use
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.> I appreciate all the
> help on finding me the true issue!

Glad you got it done but it's clear there is still some confusion.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngJvYACgkQHPApP6U8
pFgqwBAAngdJEPfKu44DfOrRdfnkjNRNRh8J+xfwEgAwJh+esusDUL/vKyXPffpQ
8HcjkYAq6dWLdEaHSZMYksrK78UrelBLWfdss8WTfDwT82/1lSY1/CpAaO+yK8WF
VStRmOdBqHDVdumbAUGZthcvhN5JnIQwril9JfAyofs08VnjhZ4CbSfcKYdKXyIP
0ELbdq8e/4M8cOZcq+99wPFt+V7D037LsHXbd3aPGAk26AFzlEl5uqX4lzsa/k+Q
uaO81P4nX5F+3Y2WuE6gfBlRi3xUplW1yQZ73K+Wg3rS7Tgd3b4+V2eKP9GyEuoD
zFE8OtfgcjCDv8nlpJKQOQU745VDaFC4y+cteiImhRHgD7OgnXregDxiuaz8RVyB
mvIzMbkevySchrWhI/yB5DMmPs33RfyBKsPxOkdhpdQEFQ7HvqKjsFIikcVSS6Um
yjMky8JouWZzBLr9FZ+KYjTSZWtxXA1xQiseBS08aWdyUh09NTpBJfE8pn6FBExq
8LxHeKBWCyW3ZNbbKp9cT/thQ4axYbFxhWtJr4UdDM6GYcBVmt1VVarWGfEd8dui
PehjgnrkuQF7mCXRWR54mYZp+k28xr1336UTj0OTgUxoyoqpwDoSYfKNn3Bt+/53
otZ8gRFYS0ynWStnQDc4WU9AYXLAPoKdfZUZxdnUYEbAUhlcWOM=
=Jsf+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]