RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Gali, Vamsi A Thu, 12 Oct 2017 08:06:55 -0700

This issue is now RESOLVED.

On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only had 2 TLS 
ciphers that are no compatible with Tomcat TLV1.2. So I added '' 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf by looking at this: 
https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html
 and IHS can communicate with Tomcat W/O any issues. Woohoo!


The reason I picked the above cipher is because it's one the list of ciphers 
tomcat's JVM supports. 

Igor, I couldn’t use one of the java based cipher tool so used a small script 
to get a list of ciphers available for a jvm(this can be used for any Linux 
server as long as openssl is available):

#!/bin/sh
for v in tls1_2; do
   for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
     openssl s_client -connect  SERVERNAME:https_port \
       -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
   done
 done

I executed above script to find out a list of ciphers on Tomcat's jvm and based 
on that I chose to use TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.

I appreciate all the help on finding me the true issue!

Thank you,
Vamsi Gali


-----Original Message-----
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, October 12, 2017 10:05 AM
To: users@tomcat.apache.org
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL 
proxy connection

On 12.10.2017 15:33, Gali, Vamsi A wrote:
> :)
> IHS is IBM HTTP Server.
>
> Thank you,

Thank you too. I feel a lot less like a dummy now.
And after reading a bit on "IHS" now, it would seem that this is at least 90% 
Apache httpd 2.2, which may make it clearer to other people that maybe they 
could help too.

>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, October 12, 2017 9:32 AM
> To: users@tomcat.apache.org
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
> establish SSL proxy connection
>
> And for the rest of us dummies trying to follow this conversation, what might 
> "IHS" be ?
> Whatever Google returns doesn't seem really relevant.
>
> On 12.10.2017 15:25, Gali, Vamsi A wrote:
>> Igor,
>> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8 
>> which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2 
>> but there is a cipher mismatch. We have Tam directly connecting to Tomcat 
>> and the connectivity works w/o any SSL handshake errors. Hence, I'm 
>> suspecting IHS and will be trying by adding same tls1.2 ciphers that 
>> Tomcat/java supports.
>>
>> Thank you,
>> Vamsi Gali
>>
>>
>> -----Original Message-----
>> From: Igor Cicimov [mailto:icici...@gmail.com]
>> Sent: Wednesday, October 11, 2017 7:33 PM
>> To: Tomcat Users List
>> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not 
>> establish SSL proxy connection
>>
>> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:
>>
>>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>>> <vamsi_a_g...@keybank.com.invalid>
>>> wrote:
>>>
>>> The debug log produced following & it's evident that handshake is 
>>> failing due to no ciphers suites in common.
>>>
>>> Allow unsafe renegotiation: false
>>> Allow legacy hello messages: true
>>> Is initial handshake: true
>>> Is secure renegotiation: false
>>> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring 
>>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
>>> *** ClientHello, TLSv1.2
>>> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 
>>> 95, 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 
>>> 214, 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:  
>>> {} Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 
>>> 0x56:0x0, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
>>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
>>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods:  { 0 }
>>> ***
>>> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
>>> TLSv1.2 ALERT:  fatal, description = handshake_failure 
>>> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2 
>>> http-bio-xxxx-exec-2, called closeSocket()
>>>
>>>
>>>
>>> http-bio-xxxx-exec-2, handling exception: 
>>> javax.net.ssl.SSLHandshakeException:
>>> no cipher suites in common
>>> http-bio-xxxx-exec-2, IOException in getSession():
>>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>>
>>>
>>> There you go, no comment needed.
>>>
>>> Also, since you are using JSSE in your tomcat connector, you never
>> mentioned the Java version you are using? From the logs looks like IHS 
>> offers TLSv1.2 ciphers but tomcat does not support them so maybe you are 
>> running an outdated version of Java, maybe 1.6?
>>
>> There some tools out there you can use to find the default SSL/TLS cipher 
>> suits that JVM will use (and I think I've seen one from Christopher 
>> Schultz). The tool should provide you with output like this:
>>
>> $ java Ciphers
>> Default    Cipher
>>        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>>        SSL_DHE_DSS_WITH_DES_CBC_SHA
>>        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>        SSL_DHE_RSA_WITH_DES_CBC_SHA
>>        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>>        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>>        SSL_DH_anon_WITH_DES_CBC_SHA
>>        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>> *    SSL_RSA_WITH_3DES_EDE_CBC_SHA
>>        SSL_RSA_WITH_DES_CBC_SHA
>>        SSL_RSA_WITH_NULL_MD5
>>        SSL_RSA_WITH_NULL_SHA
>> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>> *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
>> *    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
>> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> *    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>        TLS_DH_anon_WITH_AES_128_CBC_SHA
>>        TLS_DH_anon_WITH_AES_128_CBC_SHA256
>>        TLS_DH_anon_WITH_AES_128_GCM_SHA256
>> ...
>>
>> then pick up one of the supported default ciphers (marked with star) and use 
>> it in IHS (as it is or translated in IHS way, no idea about that) so you get 
>> a match. I know nothing about IHS so can't help there.
>>
>> If that doesn't work then I would say IHS does some funky stuff with the 
>> cipher suites in a way that tomcat can't understand them.
>>
>> Igor
>>
>>
>> This communication may contain privileged and/or confidential information. 
>> It is intended solely for the use of the addressee. If you are not the 
>> intended recipient, you are strictly prohibited from disclosing, copying, 
>> distributing or using any of this information. If you received this 
>> communication in error, please contact the sender immediately and destroy 
>> the material in its entirety, whether electronic or hard copy. This 
>> communication may contain nonpublic personal information about consumers 
>> subject to the restrictions of the Gramm-Leach-Bliley Act. You may not 
>> directly or indirectly reuse or redisclose such information for any purpose 
>> other than to provide the services for which you are receiving the 
>> information.
>>
>> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive 
>> future e-mail offers for products or services from Key send an e-mail 
>> to mailto:dnereque...@key.com with 'No Promotional E-mails' in the 
>> SUBJECT line.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

Reply via email to