-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 George,
On 10/27/17 10:55 AM, George S. wrote: > I'm seeing some strange ssl errors. They're not reproducible > consistently, and I think they're because the PRNG is initializing > after the Connector. Here's some log output: > > 26-Oct-2017 17:04:08.380 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["http-nio-8080"] 26-Oct-2017 17:04:08.429 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["https-jsse-nio-443"] 26-Oct-2017 17:04:08.459 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["ajp-nio-8009"] 26-Oct-2017 17:04:08.492 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 56903 > ms 26-Oct-2017 17:05:16.364 WARNING [localhost-startStop-1] > org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom > Creation of SecureRandom instance for session ID generation using > [SHA1PRNG] took [118,978] milliseconds. > > The exception is: > > javax.net.ssl.SSLHandshakeException: Received fatal alert: > handshake_failure at > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown > Source) at > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown > Source) at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown > Source) at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown > Source) at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unk nown > > Source) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > Source) at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > Source) at > sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown > Source) at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect( Unknown > > Source) > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown > > Source) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unkn own > Source) > > > Has anyone else seen something like this? The app is making an > internal SSL connection to another servlet. I don't know why they > didn't use a RequestDispatcher and do .include(), but it's not my > code. > > Anyhow, am I right that the exception is probably related to the > connectors coming up before the PRNG? These things are not connected -- this is just a coincidence. The startup time you are seeing is for seeding the secure random-number generator that produces session identifiers. The error has to do with TLS cipher suite negotiations: there is either a mismatch between protocols/cipher suites supported by both client and server, or you are connecting to a service which requires a client certificate and none has been provided. I would scan the service to see what protocols/cipher suites are actually supported and then check to see what the client has been configured to support. My experience is that nobody ever bothers to configure the client, and that the defaults are "connect to anything!", so this does seem a little odd. More information is necessary at this point. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln3M2cACgkQHPApP6U8 pFg78w//Y+hte1gG6rS6QC50pdvB1juLW6wD1JIhF/mrc6BPZYjlFhsS5LrJfHSM Nb65m+9T6ic+LKnRhC8ftWQf4/BY2ZgFqOoWxnYydwa8TANSC43OhhskzKYq/mlR 4yRkQ0mi7tSB0EuF+z15v8y1myWz5RYQ/Eaj+XMjJn0p4mQHocU5QtZ1YxjMM15M l4oXxAJeUjb6OSotTwv+GaiIfNDICL169pQcDZiUVTEOkONrhDWe0Nfv64u9QWRc SzLx0zSSJleLuVBI8Uu7IvrB9MUw1HSAOh4bdpcw8b69HTK1Dw7lPA35ACmqzmm1 TbmltyCTLSBPHMb+R3Q71tUAfDTz+1DNPn97Ai5453l1Z/vmwqfo7vyr6tV3P2Zg Td3XdL1wD3ICiR/z1tgubeGEHUwlljmnaARoHUU6lfLBj/wjVppw/8d3ODCr+kb1 biwNRKj/Tac7abRD/+K/ZUk1K0iPt5cOZBIRuvYr5FmuMQyxalLDikUM7UR5MWiW mfT8tEubk85D36EfL0nljFGCOFzjpSEmZUC4RzSZTQT/UQjuriPPze8+NvsDIL/1 Jt3uy3fUk0plaPg/0cEs5dhw9dF4XxHsyYjTV/fQXI/HnMR2x8Ct5QmkynPNEnCu NGTMEhMJL2cYN3fWbVcvUHfHn5uLQpMaUNj3uB3ArECikeDMgJM= =YzS7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
