You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by g f <gf...@gmail.com> on 2011/01/14 23:31:50 UTC

sslHandshakeException

Hello all,
Not sure if this is the proper area to post but here goes.
I have a debian os running Apache 2.2.16(debian) along with tomcat 6.0.29. I
use mod_jk as well as mod_auth_kerb module for apache.

I use common access cards and allow apache kerb module to handle all auth
and it works just fine except when I access some of my apps that have ajax
calls back to the same server. Now if I force common access card in apache I
get errors in catalina.out as follows:

javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure.

Now as I said I dont do any auth at the tomcat level its all done at the
apache level. It seems like tomcat is trying to validate the client certs
that mod_jk is passing along. The question is, how do I tell tomcat to
ignore the client certs?

I only have the AJP connector active in tomcat and it looks like the
following:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false" clientAuth="false" SSLVerifyClient="false" />

Any ideas?

If there is an easy way to accept the client certs (even though I do nothing
with them) then I could do that as well.
Thanks for any advice and sorry if this is not the correct forum for this.

Cheers!

Re: sslHandshakeException

Posted by g f <gf...@gmail.com>.

Thanks for the reply PID.
I will have to post the full stack tomorrow.
No error messages about the connector during startup.
I think you are right though , with regard to the outbound, the applications
do make requests to other servers and/or apps.
The odd thing is, apache does not throw any errors even in debug mode. If
apache is handling all things authentication I dont understand why tomcat
would be complaining about certs. Would the response from the outbound
connection be the issue? Also If I do not "force" common access cards it
works fine.
I will post the full stack tomorrow.
Cheers!

On Fri, Jan 14, 2011 at 5:12 PM, Pid <pi...@pidster.com> wrote:

> On 1/14/11 10:31 PM, g f wrote:
> > Hello all,
> > Not sure if this is the proper area to post but here goes.
> > I have a debian os running Apache 2.2.16(debian) along with tomcat
> 6.0.29. I
> > use mod_jk as well as mod_auth_kerb module for apache.
> >
> > I use common access cards and allow apache kerb module to handle all auth
> > and it works just fine except when I access some of my apps that have
> ajax
> > calls back to the same server. Now if I force common access card in
> apache I
> > get errors in catalina.out as follows:
> >
> > javax.net.ssl.SSLHandshakeException: Received fatal alert:
> > handshake_failure.
> >
> > Now as I said I dont do any auth at the tomcat level its all done at the
> > apache level. It seems like tomcat is trying to validate the client certs
> > that mod_jk is passing along. The question is, how do I tell tomcat to
> > ignore the client certs?
> >
> > I only have the AJP connector active in tomcat and it looks like the
> > following:
> >
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> > tomcatAuthentication="false" clientAuth="false" SSLVerifyClient="false"
> />
> >
> > Any ideas?
>
> Umm, that sounds odd.
>
> Do you get any messages about the connector during server startup?
>
> Do you get a stacktrace or just a log message?  What is the full log
> line or stack?
>
> > If there is an easy way to accept the client certs (even though I do
> nothing
> > with them) then I could do that as well.
>
>
>
> Are you sure it's not due to an outbound connection attempt from some
> part of your app?
>
>
> p
>
> > Thanks for any advice and sorry if this is not the correct forum for
> this.
>
>
>

Re: sslHandshakeException

Posted by Pid <pi...@pidster.com>.

On 1/14/11 10:31 PM, g f wrote:
> Hello all,
> Not sure if this is the proper area to post but here goes.
> I have a debian os running Apache 2.2.16(debian) along with tomcat 6.0.29. I
> use mod_jk as well as mod_auth_kerb module for apache.
> 
> I use common access cards and allow apache kerb module to handle all auth
> and it works just fine except when I access some of my apps that have ajax
> calls back to the same server. Now if I force common access card in apache I
> get errors in catalina.out as follows:
> 
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure.
> 
> Now as I said I dont do any auth at the tomcat level its all done at the
> apache level. It seems like tomcat is trying to validate the client certs
> that mod_jk is passing along. The question is, how do I tell tomcat to
> ignore the client certs?
> 
> I only have the AJP connector active in tomcat and it looks like the
> following:
> 
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> tomcatAuthentication="false" clientAuth="false" SSLVerifyClient="false" />
> 
> Any ideas?

Umm, that sounds odd.

Do you get any messages about the connector during server startup?

Do you get a stacktrace or just a log message?  What is the full log
line or stack?

> If there is an easy way to accept the client certs (even though I do nothing
> with them) then I could do that as well.



Are you sure it's not due to an outbound connection attempt from some
part of your app?


p

> Thanks for any advice and sorry if this is not the correct forum for this.