On 11 Oct 2017 1:50 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid>
wrote:
Hello,
Any help is appreciated on this issue.
Thank you,
Vamsi Gali
-----Original Message-----
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection
Hello,
I just realized that I didn’t provide the environment info & following are
the details:
Tomcat: apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL
We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s
in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
When Tomcat is accessed through webserver url, it throws ‘500’ with the
following stack on the IHS Error log:
[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
alert [level 2 (fatal), description 40 (handshake_failure)]
[TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20
2017] [debug] [client TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] <client_hello> [Thu
Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client TOMCAT-IP] random
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 9xxxxxx
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] x1 91 19 08 25 xx
DC xx E1 xx 20 xx ....%..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id [Thu Oct
00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx ..V..../.5....
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] compression_methods
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00
.
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions [Thu Oct
00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake
transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
------------------------------------------------------------
------------------------------------------------------------
--------------------------
What’s done: IHS & Tomcat keystores contain required signers for proper
communication. During the troubleshooting, I even added IHS server cert as
a signer into Tomcat keystore and vice-versa but cannot get rid of this
error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
Has anyone ran into similar issues? Or ever tried Tomcat with IHS using
mod_proxy module?
Thank you,
Vamsi Gali
This communication may contain privileged and/or confidential information.
It is intended solely for the use of the addressee. If you are not the
intended recipient, you are strictly prohibited from disclosing, copying,
distributing or using any of this information. If you received this
communication in error, please contact the sender immediately and destroy
the material in its entirety, whether electronic or hard copy. This
communication may contain nonpublic personal information about consumers
subject to the restrictions of the Gramm-Leach-Bliley Act. You may not
directly or indirectly reuse or redisclose such information for any purpose
other than to provide the services for which you are receiving the
information.
127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services
from Key
send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails'
in the
SUBJECT line.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Well what does tomcat log say? You can add java debug ssl option to
JAVA_OPTS in the default tomcat config file maybe it will give you a clue.
