logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Error during SSL Handshake with remote server
Author
tushar.ghodake



Joined: 04 Apr 2017
Posts: 11
Location: India

PostPosted: Tue 29 Dec '20 9:44    Post subject: Error during SSL Handshake with remote server Reply with quote

I am using Apache 2.4.46 as a reverse proxy server for tomcat. I am running tomcat on ssl. However, if I remove TLS1 protocol from my tomcat (server.xml) then Apache web server gives me below errors.

The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server

In error.log, I am getting below error:
AH01084: pass request body failed to 127.0.0.1:8443 (127.0.0.1)

However, it works fine if I add TLS1 in my backend server.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Tue 29 Dec '20 12:26    Post subject: Reply with quote

It would appear the Java behind your Tomcat only supports TLS1, and nothing more recent. You can confirm this using openssl s_client to check the supported TLS variants, viz:

Code:
openssl s_client -connect tomcat-server:tomcat-port -tls1
openssl s_client -connect tomcat-server:tomcat-port -tls1_1
openssl s_client -connect tomcat-server:tomcat-port -tls1_2
openssl s_client -connect tomcat-server:tomcat-port -tls1_3

However. your error message refers to the loopback interface, which suggests Tomcat is running on the same server as your Apache proxy.

So assuming your Apache frontend is running HTTPS, and user connections to Tomcat are being proxied, why are you bothering to run a secure connection to your Tomcat as well?

I would suggest changing the Tomcat server.xml to drop the secure connection, and change the connector sections to only listen on the loopback interface, e.g.

Code:
<Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1"...

This will prevent anyone connecting remotely to Tomcat, unless they go through the proxy.

Indeed, for performance, I'd also drop the HTTP proxy and switch to using binary AJP on port 8009.
Back to top
tushar.ghodake



Joined: 04 Apr 2017
Posts: 11
Location: India

PostPosted: Tue 29 Dec '20 13:54    Post subject: Reply with quote

No My java supports all protocols. it works fine with TLS 1.2 & 1.3 when I use Apache 2.4.43.

As of now I have deployed apache and tomcat on same server but in production tomcat will be there on a separate server. I need to use SSL on Tomcat as well.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Tue 29 Dec '20 21:26    Post subject: Reply with quote

ok, so you want your connection to Tomcat to be secure, but you want to disable TLS1 presumably leaving TLS1.2 and TLS1.3.

So if it were me, I'd test with openssl s_client to confirm which protocols Tomcat is supporting, assuming your server.xml contains something along these lines:
Code:
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.3"

So do the SSL proxy configuration entries you have in Apache include the following?

Code:
SSLProxyProtocol +TLSv1.2 +TLSv1.3

If so, and the Apache proxy connection is still failing, you'll need to turn up SSL debug on Apache to get more detail as to why.
Back to top
tushar.ghodake



Joined: 04 Apr 2017
Posts: 11
Location: India

PostPosted: Wed 30 Dec '20 17:29    Post subject: Reply with quote

Yes, my tomcat supports TLS1.2 and TLS1.3. As I said I am Apache 2.4.43 version is able to connect to the same tomcat where Apache 2.4.46 does not.

I have enabled TLS1.2 and TLS1.3 in my Apache proxy configuration as well.

I am able to make the connection to the tomcat using below commands,
openssl s_client -connect tomcat-server:tomcat-port -tls1_2
openssl s_client -connect tomcat-server:tomcat-port -tls1_3

Can you please tell me how to enable ssl debug in Apache?
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Wed 30 Dec '20 17:44    Post subject: Reply with quote

Change the LogLevel as follows and restart Apache.
Code:
LogLevel ssl:debug

If that's still not enough detail, try:
Code:
LogLevel ssl:trace6

To help other forum members respond, you'll probably need to post your configuration details (suitably anonymized) to https://apaste.info/
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 05 Jan '21 16:21    Post subject: Reply with quote

Apache JServ Protocol (AJP) via mod_proxy_ajp is to set up (at least it was for me)
Back to top


Reply to topic   Topic: Error during SSL Handshake with remote server View previous topic :: View next topic
Post new topic   Forum Index -> Apache