This issue is now RESOLVED.
On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only had 2 TLS
ciphers that are no compatible with Tomcat TLV1.2. So I added ''
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf by looking at this:
https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html
and IHS can communicate with Tomcat W/O any issues. Woohoo!
The reason I picked the above cipher is because it's one the list of ciphers
tomcat's JVM supports.
Igor, I couldn’t use one of the java based cipher tool so used a small script
to get a list of ciphers available for a jvm(this can be used for any Linux
server as long as openssl is available):
#!/bin/sh
for v in tls1_2; do
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
openssl s_client -connect SERVERNAME:https_port \
-cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
done
done
I executed above script to find out a list of ciphers on Tomcat's jvm and based
on that I chose to use TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.
I appreciate all the help on finding me the true issue!
Thank you,
Vamsi Gali
-----Original Message-----
From: André Warnier (tomcat) [mailto:[email protected]]
Sent: Thursday, October 12, 2017 10:05 AM
To: [email protected]
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection
On 12.10.2017 15:33, Gali, Vamsi A wrote:
> :)
> IHS is IBM HTTP Server.
>
> Thank you,
Thank you too. I feel a lot less like a dummy now.
And after reading a bit on "IHS" now, it would seem that this is at least 90%
Apache httpd 2.2, which may make it clearer to other people that maybe they
could help too.
>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:[email protected]]
> Sent: Thursday, October 12, 2017 9:32 AM
> To: [email protected]
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> And for the rest of us dummies trying to follow this conversation, what might
> "IHS" be ?
> Whatever Google returns doesn't seem really relevant.
>
> On 12.10.2017 15:25, Gali, Vamsi A wrote:
>> Igor,
>> Thank you for suggesting me to turn on the ssl dubug. We are using Java 1.8
>> which by default uses TLS1.2. Looks like both IHS & Tomcat are using tls1.2
>> but there is a cipher mismatch. We have Tam directly connecting to Tomcat
>> and the connectivity works w/o any SSL handshake errors. Hence, I'm
>> suspecting IHS and will be trying by adding same tls1.2 ciphers that
>> Tomcat/java supports.
>>
>> Thank you,
>> Vamsi Gali
>>
>>
>> -----Original Message-----
>> From: Igor Cicimov [mailto:[email protected]]
>> Sent: Wednesday, October 11, 2017 7:33 PM
>> To: Tomcat Users List
>> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
>> establish SSL proxy connection
>>
>> On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <[email protected]> wrote:
>>
>>> On 12 Oct 2017 8:25 am, "Gali, Vamsi A"
>>> <[email protected]>
>>> wrote:
>>>
>>> The debug log produced following & it's evident that handshake is
>>> failing due to no ciphers suites in common.
>>>
>>> Allow unsafe renegotiation: false
>>> Allow legacy hello messages: true
>>> Is initial handshake: true
>>> Is secure renegotiation: false
>>> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called Ignoring
>>> unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> Ignoring unsupported cipher suite:
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
>>> for TLSv1.1
>>> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
>>> *** ClientHello, TLSv1.2
>>> RandomCookie: GMT: -2042962343 <(204)%20296-2343> bytes = { 199,
>>> 95, 13, 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104,
>>> 214, 95, 96, 238, 97, 6, 240, 239, 53, 188, 180, 41 } Session ID:
>>> {} Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown
>>> 0x56:0x0, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>>> SSL_RSA_WITH_RC4_128_MD5] Compression Methods: { 0 }
>>> ***
>>> %% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL] %% Invalidated:
>>> [Session-13, SSL_NULL_WITH_NULL_NULL] http-bio-xxxx-exec-2, SEND
>>> TLSv1.2 ALERT: fatal, description = handshake_failure
>>> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
>>> http-bio-xxxx-exec-2, called closeSocket()
>>>
>>>
>>>
>>> http-bio-xxxx-exec-2, handling exception:
>>> javax.net.ssl.SSLHandshakeException:
>>> no cipher suites in common
>>> http-bio-xxxx-exec-2, IOException in getSession():
>>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>>>
>>>
>>> There you go, no comment needed.
>>>
>>> Also, since you are using JSSE in your tomcat connector, you never
>> mentioned the Java version you are using? From the logs looks like IHS
>> offers TLSv1.2 ciphers but tomcat does not support them so maybe you are
>> running an outdated version of Java, maybe 1.6?
>>
>> There some tools out there you can use to find the default SSL/TLS cipher
>> suits that JVM will use (and I think I've seen one from Christopher
>> Schultz). The tool should provide you with output like this:
>>
>> $ java Ciphers
>> Default Cipher
>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
>> * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>> SSL_DHE_DSS_WITH_DES_CBC_SHA
>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
>> * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>> SSL_DHE_RSA_WITH_DES_CBC_SHA
>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>> SSL_DH_anon_WITH_DES_CBC_SHA
>> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>> * SSL_RSA_WITH_3DES_EDE_CBC_SHA
>> SSL_RSA_WITH_DES_CBC_SHA
>> SSL_RSA_WITH_NULL_MD5
>> SSL_RSA_WITH_NULL_SHA
>> * TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>> * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
>> * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
>> * TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>> TLS_DH_anon_WITH_AES_128_CBC_SHA
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256
>> TLS_DH_anon_WITH_AES_128_GCM_SHA256
>> ...
>>
>> then pick up one of the supported default ciphers (marked with star) and use
>> it in IHS (as it is or translated in IHS way, no idea about that) so you get
>> a match. I know nothing about IHS so can't help there.
>>
>> If that doesn't work then I would say IHS does some funky stuff with the
>> cipher suites in a way that tomcat can't understand them.
>>
>> Igor
>>
>>
>> This communication may contain privileged and/or confidential information.
>> It is intended solely for the use of the addressee. If you are not the
>> intended recipient, you are strictly prohibited from disclosing, copying,
>> distributing or using any of this information. If you received this
>> communication in error, please contact the sender immediately and destroy
>> the material in its entirety, whether electronic or hard copy. This
>> communication may contain nonpublic personal information about consumers
>> subject to the restrictions of the Gramm-Leach-Bliley Act. You may not
>> directly or indirectly reuse or redisclose such information for any purpose
>> other than to provide the services for which you are receiving the
>> information.
>>
>> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
>> future e-mail offers for products or services from Key send an e-mail
>> to mailto:[email protected] with 'No Promotional E-mails' in the
>> SUBJECT line.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
