---
id: 8d19d14d-67f2-4696-90d1-5f62c24921e1
---

# Tomcat SSL Handshake Failure Incident
---

This incident type usually occurs when there is a failure in the SSL Handshake process between a client and server running on a Tomcat web server. This can happen for various reasons such as incorrect SSL certificate configuration, cipher suite mismatches, or network connectivity issues. When this type of incident is not resolved quickly, it can lead to downtime or service disruptions for users trying to access the affected service.

### Parameters
```shell

export PATH_TO_SSL_CERTIFICATE="PLACEHOLDER"

export PORT_NUMBER="PLACEHOLDER"

export HOSTNAME="PLACEHOLDER"

export CIPHER_SUITE="PLACEHOLDER"

export PATH_TO_CERTIFICATE="PLACEHOLDER"

export SERVER_CIPHER_SUITE="PLACEHOLDER"

export CLIENT_CIPHER_SUITE="PLACEHOLDER"
```

## Debug

### Check if Tomcat service is running
```shell
systemctl status tomcat.service
```

### Check Tomcat server.xml file for SSL configuration
```shell
grep -i "ssl" /etc/tomcat/conf/server.xml
```

### Check if SSL certificate is valid and not expired
```shell
openssl x509 -enddate -noout -in ${PATH_TO_SSL_CERTIFICATE}
```

### Check if SSL certificate is configured correctly
```shell
openssl s_client -connect ${HOSTNAME}:${PORT_NUMBER} -tls1_2
```

### Check if cipher suites are configured correctly
```shell
openssl s_client -connect ${HOSTNAME}:${PORT_NUMBER} -tls1_2 -cipher ${CIPHER_SUITE}
```

### Check network connectivity between client and server
```shell
ping ${HOSTNAME}
```

### Check firewall rules to ensure they are not blocking SSL traffic
```shell
iptables -L
```

## Repair

### Check the SSL certificate configuration and make sure that it is valid and properly installed on the server.
```shell


#!/bin/bash



# Set the path to the SSL certificate

CERT_PATH=${PATH_TO_CERTIFICATE}



# Verify that the certificate is valid and properly installed

openssl x509 -in $CERT_PATH -noout -check



# If the certificate is not valid, print an error message and exit

if [ $? -ne 0 ]; then

    echo "Error: The SSL certificate is not valid or is not properly installed."

    exit 1

fi



# If the certificate is valid, print a success message

echo "Success: The SSL certificate is valid and properly installed."


```

### Verify that the cipher suites used by the client and server are compatible and properly configured. If necessary, update the cipher suite configuration on either the client or server to match the other.
```shell


#!/bin/bash



# Set variables for client and server cipher suites

client_cipher_suite=${CLIENT_CIPHER_SUITE}

server_cipher_suite=${SERVER_CIPHER_SUITE}



# Check the current cipher suite configuration on the server

current_server_cipher_suite=$(grep -i sslprotocol /etc/tomcat/server.xml)



# If the current server cipher suite is not the same as the desired one, update the server configuration

if [[ $current_server_cipher_suite != *$server_cipher_suite* ]]; then

    sed -i 's|.*sslProtocol=.*|   sslProtocol="$server_cipher_suite"|g' /etc/tomcat/server.xml

    systemctl restart tomcat

fi



# Check the current cipher suite configuration on the client

current_client_cipher_suite=$(grep -i sslprotocol /etc/httpd/conf.d/ssl.conf)



# If the current client cipher suite is not the same as the desired one, update the client configuration

if [[ $current_client_cipher_suite != *$client_cipher_suite* ]]; then

    sed -i 's|.*SSLCipherSuite .*|   SSLCipherSuite $client_cipher_suite|g' /etc/httpd/conf.d/ssl.conf

    systemctl restart httpd

fi


```

This incident type usually occurs when there is a failure in the SSL Handshake process between a client and server running on a Tomcat web server. This can happen for various reasons such as incorrect SSL certificate configuration, cipher suite mismatches, or network connectivity issues. When this type of incident is not resolved quickly, it can lead to downtime or service disruptions for users trying to access the affected service.


When too many requests are sent to a Tomcat server, the thread pools that handle these requests can run out of available threads. This means that incoming requests will not be processed, leading to service degradation or even a complete outage. This incident type is critical for web applications that rely on Tomcat as their application server.


Tomcat thread pool exhaustion.

Tomcat Servlet Session Replication Failures occur when a Tomcat server fails to replicate session data between instances. This can result in users losing their session data or being redirected to a different instance, causing disruption to the application's functionality.


Tomcat Servlet Session Replication Failures.

Tomcat Server Crash incident type refers to a situation where the Tomcat Server, an open-source web server and servlet container, becomes unresponsive and stops functioning. This can result in a complete or partial system outage, leading to a disruption in the delivery of web applications and services. The root cause of the crash can be attributed to a variety of factors such as misconfiguration, network or hardware issues, software bugs, or excessive server load. It is critical to address this incident quickly to minimize the impact on users and restore normal system functionality.


Tomcat Server Crash

This incident type is related to the Tomcat server, which is a popular open-source Java application server. It occurs when the available threads in the connection pool are running low, which means that there are not enough resources to serve incoming requests. This can cause delays or even failures in the application's performance, impacting the end-user experience. It is important to monitor and address this issue promptly to ensure that the application runs smoothly and efficiently.


Tomcat Low Available Threads in Connection Pool

Tomcat JVM OutOfMemory incident occurs when the Java Virtual Machine (JVM) running the Apache Tomcat server runs out of memory, which causes the server to crash or become unresponsive. This type of incident can happen due to a variety of reasons such as incorrect configuration settings, memory leaks, or insufficient memory allocation. When this incident occurs, it can impact the availability and performance of the web application running on the Tomcat server.


Tomcat JVM OutOfMemory Incident

```shell

export PATH_TO_SSL_CERTIFICATE="PLACEHOLDER"

export PORT_NUMBER="PLACEHOLDER"

export HOSTNAME="PLACEHOLDER"

export CIPHER_SUITE="PLACEHOLDER"

export PATH_TO_CERTIFICATE="PLACEHOLDER"

export SERVER_CIPHER_SUITE="PLACEHOLDER"

export CLIENT_CIPHER_SUITE="PLACEHOLDER"
```


### Check if Tomcat service is running

```shell
systemctl status tomcat.service
```

### Check Tomcat server.xml file for SSL configuration

```shell
grep -i "ssl" /etc/tomcat/conf/server.xml
```

### Check if SSL certificate is valid and not expired

```shell
openssl x509 -enddate -noout -in ${PATH_TO_SSL_CERTIFICATE}
```

### Check if SSL certificate is configured correctly

```shell
openssl s_client -connect ${HOSTNAME}:${PORT_NUMBER} -tls1_2
```

### Check if cipher suites are configured correctly

```shell
openssl s_client -connect ${HOSTNAME}:${PORT_NUMBER} -tls1_2 -cipher ${CIPHER_SUITE}
```

### Check network connectivity between client and server

```shell
ping ${HOSTNAME}
```

### Check firewall rules to ensure they are not blocking SSL traffic

```shell
iptables -L
```


### Check the SSL certificate configuration and make sure that it is valid and properly installed on the server.

```shell


#!/bin/bash



# Set the path to the SSL certificate

CERT_PATH=${PATH_TO_CERTIFICATE}



# Verify that the certificate is valid and properly installed

openssl x509 -in $CERT_PATH -noout -check



# If the certificate is not valid, print an error message and exit

if [ $? -ne 0 ]; then

    echo "Error: The SSL certificate is not valid or is not properly installed."

    exit 1

fi



# If the certificate is valid, print a success message

echo "Success: The SSL certificate is valid and properly installed."


```

### Verify that the cipher suites used by the client and server are compatible and properly configured. If necessary, update the cipher suite configuration on either the client or server to match the other.

```shell


#!/bin/bash



# Set variables for client and server cipher suites

client_cipher_suite=${CLIENT_CIPHER_SUITE}

server_cipher_suite=${SERVER_CIPHER_SUITE}



# Check the current cipher suite configuration on the server

current_server_cipher_suite=$(grep -i sslprotocol /etc/tomcat/server.xml)



# If the current server cipher suite is not the same as the desired one, update the server configuration

if [[ $current_server_cipher_suite != *$server_cipher_suite* ]]; then

    sed -i 's|.*sslProtocol=.*|   sslProtocol="$server_cipher_suite"|g' /etc/tomcat/server.xml

    systemctl restart tomcat

fi



# Check the current cipher suite configuration on the client

current_client_cipher_suite=$(grep -i sslprotocol /etc/httpd/conf.d/ssl.conf)



# If the current client cipher suite is not the same as the desired one, update the client configuration

if [[ $current_client_cipher_suite != *$client_cipher_suite* ]]; then

    sed -i 's|.*SSLCipherSuite .*|   SSLCipherSuite $client_cipher_suite|g' /etc/httpd/conf.d/ssl.conf

    systemctl restart httpd

fi


```


Tomcat SSL Handshake Failure Incident

Overview

Parameters

Debug

Check if Tomcat service is running

Check Tomcat server.xml file for SSL configuration

Check if SSL certificate is valid and not expired

Check if SSL certificate is configured correctly

Check if cipher suites are configured correctly

Check network connectivity between client and server

Check firewall rules to ensure they are not blocking SSL traffic

Repair

Check the SSL certificate configuration and make sure that it is valid and properly installed on the server.

Verify that the cipher suites used by the client and server are compatible and properly configured. If necessary, update the cipher suite configuration on either the client or server to match the other.

Learn more

Related Runbooks

Tomcat thread pool exhaustion.

Tomcat Servlet Session Replication Failures.

Tomcat Server Crash

Tomcat Low Available Threads in Connection Pool

Support