Igor,
Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 which
by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 but there
is a cipher mismatch. We have Tam directly connecting to Tomcat and the
connectivity works w/o any SSL handshake errors. Hence, I'm suspecting IHS and will
be trying by adding same tls1.2 ciphers that Tomcat/java supports.
Thank you,
Vamsi Gali
-----Original Message-----
From: Igor Cicimov [mailto:icici...@gmail.com]
Sent: Wednesday, October 11, 2017 7:33 PM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection
On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:
On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
<vamsi_a_g...@keybank.com.invalid>
wrote:
The debug log produced following & it's evident that handshake is
failing due to no ciphers suites in common.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring
unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
for TLSv1
Ignoring unsupported cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
for TLSv1.1
http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie: GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95,
13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214,
95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5] Compression Methods: { 0 }
***
%% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
[Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
TLSv1.2 ALERT: fatal, description = handshake_failure
http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio-xxxx-exec-2, called closeSocket()
http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio-xxxx-exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException: no cipher suites in common
There you go, no comment needed.
Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS offers
TLSv1.2 ciphers but tomcat does not support them so maybe you are running an
outdated version of Java, maybe 1.6?
There some tools out there you can use to find the default SSL/TLS cipher suits
that JVM will use (and I think I've seen one from Christopher Schultz). The
tool should provide you with output like this:
$ java Ciphers
Default Cipher
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256
...
then pick up one of the supported default ciphers (marked with star) and use it
in IHS (as it is or translated in IHS way, no idea about that) so you get a
match. I know nothing about IHS so can't help there.
If that doesn't work then I would say IHS does some funky stuff with the cipher
suites in a way that tomcat can't understand them.
Igor
This communication may contain privileged and/or confidential information. It
is intended solely for the use of the addressee. If you are not the intended
recipient, you are strictly prohibited from disclosing, copying, distributing
or using any of this information. If you received this communication in error,
please contact the sender immediately and destroy the material in its entirety,
whether electronic or hard copy. This communication may contain nonpublic
personal information about consumers subject to the restrictions of the
Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose
such information for any purpose other than to provide the services for which
you are receiving the information.
127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from
Key
send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in
the
SUBJECT line.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
