Igor, Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there is a cipher mismatch. We have Tam directly connecting to Tomcat and the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java supports.
Thank you, Vamsi Gali -----Original Message----- From: Igor Cicimov [mailto:icici...@gmail.com] Sent: Wednesday, October 11, 2017 7:33 PM To: Tomcat Users List Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote: > On 12 Oct 2017 8:25 am, "Gali, Vamsi A" > <vamsi_a_g...@keybank.com.invalid> > wrote: > > The debug log produced following & it's evident that handshake is > failing due to no ciphers suites in common. > > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring > unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > for TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > for TLSv1 > Ignoring unsupported cipher suite: > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > for TLSv1.1 > http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57 > *** ClientHello, TLSv1.2 > RandomCookie: GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, > 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, > 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID: {} > Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, > SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_RSA_WITH_RC4_128_MD5] Compression Methods: { 0 } > *** > %% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated: > [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND > TLSv1.2 ALERT: fatal, description = handshake_failure > http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2 > http-bio-xxxx-exec-2, called closeSocket() > > > > http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: > no cipher suites in common > http-bio-xxxx-exec-2, IOException in getSession(): > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > > There you go, no comment needed. > > Also, since you are using JSSE in your tomcat connector, you never mentioned the Java version you are using? From the logs looks like IHS offers TLSv1.2 ciphers but tomcat does not support them so maybe you are running an outdated version of Java, maybe 1.6? There some tools out there you can use to find the default SSL/TLS cipher suits that JVM will use (and I think I've seen one from Christopher Schultz). The tool should provide you with output like this: $ java Ciphers Default Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 ... then pick up one of the supported default ciphers (marked with star) and use it in IHS (as it is or translated in IHS way, no idea about that) so you get a match. I know nothing about IHS so can't help there. If that doesn't work then I would say IHS does some funky stuff with the cipher suites in a way that tomcat can't understand them. Igor This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
