I see what Igor has suggested and I will be reproducing the issue by adding '-Djavax.net.debug=ssl' to setenv.sh's JAVA_OPTS. Thank you!
Thank you, Vamsi Gali -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, October 11, 2017 10:44 AM To: users@tomcat.apache.org Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection On 11/10/2017 14:05, Gali, Vamsi A wrote: > Igor, > > Thank you for the response! > > Since the request is failing at SSL handshake, Tomcat doesn’t even record > anything not even the access log. I tried enabling debug at tomcat but > nothing is captured during the request initiation. Re-read the suggestion. You need to enable the JRE provided SSL debugging, not Tomcat debug logging. Check your JVM docs for you to do that. Marjk > > Thank you, > Vamsi Gali > > -----Original Message----- > From: Igor Cicimov [mailto:icici...@gmail.com] > Sent: Wednesday, October 11, 2017 4:09 AM > To: Tomcat Users List > Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not > establish SSL proxy connection > > On 11 Oct 2017 1:50 am, "Gali, Vamsi A" > <vamsi_a_g...@keybank.com.invalid> > wrote: > > Hello, > > Any help is appreciated on this issue. > > Thank you, > Vamsi Gali > > > -----Original Message----- > From: Gali, Vamsi A > Sent: Thursday, October 05, 2017 12:03 PM > To: 'Tomcat Users List' > Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish > SSL proxy connection > > Hello, > I just realized that I didn’t provide the environment info & following are > the details: > > Tomcat: apache-tomcat-7.0.75 > IHS: HIS v8.5.5.x > OS: RHEL > > We have IHS→mod_proxy(on IHS) → Tomcat. > I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in > use. > [error] SSL0266E: Handshake Failed, Could not establish SSL proxy > connection > > When Tomcat is accessed through webserver url, it throws ‘500’ with the > following stack on the IHS Error log: > > [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: > fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] > [debug] > proxy_util.c(2419): proxy: HTTPS: connection complete to > TOMCAT-IP:PORT > (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, > Could not establish SSL proxy connection. > [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] > [13789] > SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal > alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT > -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] > [client TOMCAT-IP] [7fa404014a60] Handshake transcript: > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] <client_hello> [Thu > Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu > Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 2017] > [debug] [client TOMCAT-IP] gsksslDissector_32Bits > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 9xxxxxx > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_Opaque > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 28 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 1x 62 xx B3 1F 44 > xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] x1 91 19 08 25 xx > DC xx E1 xx 20 xx ....%..o.9 x > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id > [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 > 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 09:20:20 > 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx > 00 xx 00 xx 00 xx 00 xx ..V..../.5.... > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] > tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_ > rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_ > rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] compression_methods > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 01 [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00 > . > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions > [Thu Oct > 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0 > [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake > transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: > HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] > [debug] > proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2 > ------------------------------------------------------------ > ------------------------------------------------------------ > -------------------------- > What’s done: IHS & Tomcat keystores contain required signers for proper > communication. During the troubleshooting, I even added IHS server cert as a > signer into Tomcat keystore and vice-versa but cannot get rid of this error. > Also, tried restricting both IHS & Tomcat to use TLSv1 but no success. > > Has anyone ran into similar issues? Or ever tried Tomcat with IHS using > mod_proxy module? > > > Thank you, > Vamsi Gali > > > This communication may contain privileged and/or confidential information. > It is intended solely for the use of the addressee. If you are not the > intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy the > material in its entirety, whether electronic or hard copy. This communication > may contain nonpublic personal information about consumers subject to the > restrictions of the Gramm-Leach-Bliley Act. You may not directly or > indirectly reuse or redisclose such information for any purpose other than to > provide the services for which you are receiving the information. > > 127 Public Square, Cleveland, OH 44114 If you prefer not to receive > future e-mail offers for products or services from Key send an e-mail to > mailto:dnereque...@key.com with 'No Promotional E-mails' > in the > SUBJECT line. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Well what does tomcat log say? You can add java debug ssl option to JAVA_OPTS > in the default tomcat config file maybe it will give you a clue. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
