:) IHS is IBM HTTP Server. Thank you,
-----Original Message----- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, October 12, 2017 9:32 AM To: users@tomcat.apache.org Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection And for the rest of us dummies trying to follow this conversation, what might "IHS" be ? Whatever Google returns doesn't seem really relevant. On 12.10.2017 15:25, Gali, Vamsi A wrote: > Igor, > Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 > which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 > but there is a cipher mismatch. We have Tam directly connecting to Tomcat and > the connectivity works w/o any SSL handshake errors. Hence, I'm suspecting > IHS and will be trying by adding same tls1.2 ciphers that Tomcat/java > supports. > > Thank you, > Vamsi Gali > > > -----Original Message----- > From: Igor Cicimov [mailto:icici...@gmail.com] > Sent: Wednesday, October 11, 2017 7:33 PM > To: Tomcat Users List > Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not > establish SSL proxy connection > > On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote: > >> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" >> <vamsi_a_g...@keybank.com.invalid> >> wrote: >> >> The debug log produced following & it's evident that handshake is >> failing due to no ciphers suites in common. >> >> Allow unsafe renegotiation: false >> Allow legacy hello messages: true >> Is initial handshake: true >> Is secure renegotiation: false >> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring >> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >> for TLSv1 >> Ignoring unsupported cipher suite: >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> for TLSv1 >> Ignoring unsupported cipher suite: >> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 >> for TLSv1 >> Ignoring unsupported cipher suite: >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 >> for TLSv1 >> Ignoring unsupported cipher suite: >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >> for TLSv1 >> Ignoring unsupported cipher suite: >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 >> for TLSv1 >> Ignoring unsupported cipher suite: >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >> for TLSv1.1 >> Ignoring unsupported cipher suite: >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> for TLSv1.1 >> Ignoring unsupported cipher suite: >> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 >> for TLSv1.1 >> Ignoring unsupported cipher suite: >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 >> for TLSv1.1 >> Ignoring unsupported cipher suite: >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >> for TLSv1.1 >> Ignoring unsupported cipher suite: >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 >> for TLSv1.1 >> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57 >> *** ClientHello, TLSv1.2 >> RandomCookie: GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, >> 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, >> 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID: {} >> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, >> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, >> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, >> SSL_RSA_WITH_RC4_128_MD5] Compression Methods: { 0 } >> *** >> %% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated: >> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND >> TLSv1.2 ALERT: fatal, description = handshake_failure >> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2 >> http-bio-xxxx-exec-2, called closeSocket() >> >> >> >> http-bio-xxxx-exec-2, handling exception: >> javax.net.ssl.SSLHandshakeException: >> no cipher suites in common >> http-bio-xxxx-exec-2, IOException in getSession(): >> javax.net.ssl.SSLHandshakeException: no cipher suites in common >> >> >> There you go, no comment needed. >> >> Also, since you are using JSSE in your tomcat connector, you never > mentioned the Java version you are using? From the logs looks like IHS offers > TLSv1.2 ciphers but tomcat does not support them so maybe you are running an > outdated version of Java, maybe 1.6? > > There some tools out there you can use to find the default SSL/TLS cipher > suits that JVM will use (and I think I've seen one from Christopher Schultz). > The tool should provide you with output like this: > > $ java Ciphers > Default Cipher > SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA > * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA > SSL_DHE_DSS_WITH_DES_CBC_SHA > SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA > * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA > SSL_DHE_RSA_WITH_DES_CBC_SHA > SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA > SSL_DH_anon_WITH_3DES_EDE_CBC_SHA > SSL_DH_anon_WITH_DES_CBC_SHA > SSL_RSA_EXPORT_WITH_DES40_CBC_SHA > * SSL_RSA_WITH_3DES_EDE_CBC_SHA > SSL_RSA_WITH_DES_CBC_SHA > SSL_RSA_WITH_NULL_MD5 > SSL_RSA_WITH_NULL_SHA > * TLS_DHE_DSS_WITH_AES_128_CBC_SHA > * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 > * TLS_DHE_RSA_WITH_AES_128_CBC_SHA > * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_DH_anon_WITH_AES_128_CBC_SHA > TLS_DH_anon_WITH_AES_128_CBC_SHA256 > TLS_DH_anon_WITH_AES_128_GCM_SHA256 > ... > > then pick up one of the supported default ciphers (marked with star) and use > it in IHS (as it is or translated in IHS way, no idea about that) so you get > a match. I know nothing about IHS so can't help there. > > If that doesn't work then I would say IHS does some funky stuff with the > cipher suites in a way that tomcat can't understand them. > > Igor > > > This communication may contain privileged and/or confidential information. It > is intended solely for the use of the addressee. If you are not the intended > recipient, you are strictly prohibited from disclosing, copying, distributing > or using any of this information. If you received this communication in > error, please contact the sender immediately and destroy the material in its > entirety, whether electronic or hard copy. This communication may contain > nonpublic personal information about consumers subject to the restrictions of > the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or > redisclose such information for any purpose other than to provide the > services for which you are receiving the information. > > 127 Public Square, Cleveland, OH 44114 If you prefer not to receive > future e-mail offers for products or services from Key send an e-mail > to mailto:dnereque...@key.com with 'No Promotional E-mails' in the > SUBJECT line. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
