Author |
|
tushar.ghodake
Joined: 04 Apr 2017 Posts: 11 Location: India
|
Posted: Tue 29 Dec '20 9:44 Post subject: Error during SSL Handshake with remote server |
|
|
I am using Apache 2.4.46 as a reverse proxy server for tomcat. I am running tomcat on ssl. However, if I remove TLS1 protocol from my tomcat (server.xml) then Apache web server gives me below errors.
The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server
In error.log, I am getting below error:
AH01084: pass request body failed to 127.0.0.1:8443 (127.0.0.1)
However, it works fine if I add TLS1 in my backend server. |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Tue 29 Dec '20 12:26 Post subject: |
|
|
It would appear the Java behind your Tomcat only supports TLS1, and nothing more recent. You can confirm this using openssl s_client to check the supported TLS variants, viz:
Code: | openssl s_client -connect tomcat-server:tomcat-port -tls1
openssl s_client -connect tomcat-server:tomcat-port -tls1_1
openssl s_client -connect tomcat-server:tomcat-port -tls1_2
openssl s_client -connect tomcat-server:tomcat-port -tls1_3 |
However. your error message refers to the loopback interface, which suggests Tomcat is running on the same server as your Apache proxy.
So assuming your Apache frontend is running HTTPS, and user connections to Tomcat are being proxied, why are you bothering to run a secure connection to your Tomcat as well?
I would suggest changing the Tomcat server.xml to drop the secure connection, and change the connector sections to only listen on the loopback interface, e.g.
Code: | <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1"... |
This will prevent anyone connecting remotely to Tomcat, unless they go through the proxy.
Indeed, for performance, I'd also drop the HTTP proxy and switch to using binary AJP on port 8009. |
|
Back to top |
|
tushar.ghodake
Joined: 04 Apr 2017 Posts: 11 Location: India
|
Posted: Tue 29 Dec '20 13:54 Post subject: |
|
|
No My java supports all protocols. it works fine with TLS 1.2 & 1.3 when I use Apache 2.4.43.
As of now I have deployed apache and tomcat on same server but in production tomcat will be there on a separate server. I need to use SSL on Tomcat as well. |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Tue 29 Dec '20 21:26 Post subject: |
|
|
ok, so you want your connection to Tomcat to be secure, but you want to disable TLS1 presumably leaving TLS1.2 and TLS1.3.
So if it were me, I'd test with openssl s_client to confirm which protocols Tomcat is supporting, assuming your server.xml contains something along these lines:
Code: | sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.3" |
So do the SSL proxy configuration entries you have in Apache include the following?
Code: | SSLProxyProtocol +TLSv1.2 +TLSv1.3 |
If so, and the Apache proxy connection is still failing, you'll need to turn up SSL debug on Apache to get more detail as to why. |
|
Back to top |
|
tushar.ghodake
Joined: 04 Apr 2017 Posts: 11 Location: India
|
Posted: Wed 30 Dec '20 17:29 Post subject: |
|
|
Yes, my tomcat supports TLS1.2 and TLS1.3. As I said I am Apache 2.4.43 version is able to connect to the same tomcat where Apache 2.4.46 does not.
I have enabled TLS1.2 and TLS1.3 in my Apache proxy configuration as well.
I am able to make the connection to the tomcat using below commands,
openssl s_client -connect tomcat-server:tomcat-port -tls1_2
openssl s_client -connect tomcat-server:tomcat-port -tls1_3
Can you please tell me how to enable ssl debug in Apache? |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Wed 30 Dec '20 17:44 Post subject: |
|
|
Change the LogLevel as follows and restart Apache.
If that's still not enough detail, try:
Code: | LogLevel ssl:trace6 |
To help other forum members respond, you'll probably need to post your configuration details (suitably anonymized) to https://apaste.info/ |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Tue 05 Jan '21 16:21 Post subject: |
|
|
Apache JServ Protocol (AJP) via mod_proxy_ajp is to set up (at least it was for me) |
|
Back to top |
|