Topic: Error during SSL Handshake with remote server

[tushar.ghodake]

I am using Apache 2.4.46 as a reverse proxy server for tomcat. I am running tomcat on ssl. However, if I remove TLS1 protocol from my tomcat (server.xml) then Apache web server gives me below errors.

The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server

In error.log, I am getting below error:
AH01084: pass request body failed to 127.0.0.1:8443 (127.0.0.1)

However, it works fine if I add TLS1 in my backend server.

[tangent]

It would appear the Java behind your Tomcat only supports TLS1, and nothing more recent. You can confirm this using openssl s_client to check the supported TLS variants, viz:

[tushar.ghodake]

No My java supports all protocols. it works fine with TLS 1.2 & 1.3 when I use Apache 2.4.43.

As of now I have deployed apache and tomcat on same server but in production tomcat will be there on a separate server. I need to use SSL on Tomcat as well.

[tangent]

ok, so you want your connection to Tomcat to be secure, but you want to disable TLS1 presumably leaving TLS1.2 and TLS1.3.

So if it were me, I'd test with openssl s_client to confirm which protocols Tomcat is supporting, assuming your server.xml contains something along these lines:

[tushar.ghodake]

Yes, my tomcat supports TLS1.2 and TLS1.3. As I said I am Apache 2.4.43 version is able to connect to the same tomcat where Apache 2.4.46 does not.

I have enabled TLS1.2 and TLS1.3 in my Apache proxy configuration as well.

I am able to make the connection to the tomcat using below commands,
openssl s_client -connect tomcat-server:tomcat-port -tls1_2
openssl s_client -connect tomcat-server:tomcat-port -tls1_3

Can you please tell me how to enable ssl debug in Apache?

[tangent]

Change the LogLevel as follows and restart Apache.

[James Blond]

Apache JServ Protocol (AJP) via mod_proxy_ajp is to set up (at least it was for me)