On 3/4/2014 11:22 AM, Christopher Schultz wrote:
Aah, sorry, I had missed that. So, the only change was Tomcat? No upgrade to mod_jk or anything like that? OpenSSL upgrade? Upgraded Java on the client? Everything else *absolutely* the same?
Exact same httpd, including mod_jk. Same files. Same directory. httpd was not touched at all. I just tried reverting to Tomcat 6 and the problem is still there, so it keeps getting weirder.
If you aren't using SSL at all in Tomcat, then Tomcat isn't likely to be the problem, here.
I'm thinking that now too.
Can other command-line tools connect -- take the applet out of the picture? Try something like curl, wget, or even OpenSSL's s_client tool. s_client will give you lots of good information about the SSL connection state, too.
The applet is the only thing that's having the problem. Everything else works (and this is a massive app). We've also seen the applet work for some people, all of whom were using IE but not others who may be using IE, Firefox or Chrome. We've played with TLS/SSL settings in IE and Firefox. That can change the error message but it still fails. Again, it works fine when connecting directly to Apache httpd and bypassing the load balancer. We've been forced to open up direct access to the ports for that so that our customers can print. We don't like that because we lose the advantages of load balancing and the SSL load is now on our web servers instead of the expensive dedicated hardware that's supposed to be doing that for us. My current suspicion is that the load balancer hardware is going bad. It has two server pools. One is to cover customers in one hemisphere (mostly Australia) and one for the other hemisphere (mostly US/GB/IE). We only updated the servers in the pool for the eastern hemisphere to Tomcat 7. We have the two different pools so that we can have down time during low activity periods. It's just weird that it happened to start having this problem right after we upgraded to Tomcat 7 and only on the pool that got upgraded to Tomcat 7. Rebooting the load balancer involves kicking everyone off of both pools, which means that no matter when we do it, it will be during some non-trivial number of customers prime activity time. We should have gotten completely different load balancers for each pool. Sigh. Mr. CEO, can I please have $25,000-$50,000? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
