Runbook

Tomcat SSL Handshake Failure Incident

Back to Runbooks

Overview

This incident type usually occurs when there is a failure in the SSL Handshake process between a client and server running on a Tomcat web server. This can happen for various reasons such as incorrect SSL certificate configuration, cipher suite mismatches, or network connectivity issues. When this type of incident is not resolved quickly, it can lead to downtime or service disruptions for users trying to access the affected service.

Parameters

1export PATH_TO_SSL_CERTIFICATE="PLACEHOLDER"
2
3export PORT_NUMBER="PLACEHOLDER"
4
5export HOSTNAME="PLACEHOLDER"
6
7export CIPHER_SUITE="PLACEHOLDER"
8
9export PATH_TO_CERTIFICATE="PLACEHOLDER"
10
11export SERVER_CIPHER_SUITE="PLACEHOLDER"
12
13export CLIENT_CIPHER_SUITE="PLACEHOLDER"

Debug

Check if Tomcat service is running

systemctl status tomcat.service

Check Tomcat server.xml file for SSL configuration

grep -i "ssl" /etc/tomcat/conf/server.xml

Check if SSL certificate is valid and not expired

openssl x509 -enddate -noout -in ${PATH_TO_SSL_CERTIFICATE}

Check if SSL certificate is configured correctly

openssl s_client -connect ${HOSTNAME}:${PORT_NUMBER} -tls1_2

Check if cipher suites are configured correctly

openssl s_client -connect ${HOSTNAME}:${PORT_NUMBER} -tls1_2 -cipher ${CIPHER_SUITE}

Check network connectivity between client and server

ping ${HOSTNAME}

Check firewall rules to ensure they are not blocking SSL traffic

iptables -L

Repair

Check the SSL certificate configuration and make sure that it is valid and properly installed on the server.

1#!/bin/bash
2
3
4
5# Set the path to the SSL certificate
6
7CERT_PATH=${PATH_TO_CERTIFICATE}
8
9
10
11# Verify that the certificate is valid and properly installed
12
13openssl x509 -in $CERT_PATH -noout -check
14
15
16
17# If the certificate is not valid, print an error message and exit
18
19if [ $? -ne 0 ]; then
20
21 echo "Error: The SSL certificate is not valid or is not properly installed."
22
23 exit 1
24
25fi
26
27
28
29# If the certificate is valid, print a success message
30
31echo "Success: The SSL certificate is valid and properly installed."

Verify that the cipher suites used by the client and server are compatible and properly configured. If necessary, update the cipher suite configuration on either the client or server to match the other.

1#!/bin/bash
2
3
4
5# Set variables for client and server cipher suites
6
7client_cipher_suite=${CLIENT_CIPHER_SUITE}
8
9server_cipher_suite=${SERVER_CIPHER_SUITE}
10
11
12
13# Check the current cipher suite configuration on the server
14
15current_server_cipher_suite=$(grep -i sslprotocol /etc/tomcat/server.xml)
16
17
18
19# If the current server cipher suite is not the same as the desired one, update the server configuration
20
21if [[ $current_server_cipher_suite != *$server_cipher_suite* ]]; then
22
23 sed -i 's|.*sslProtocol=.*| sslProtocol="$server_cipher_suite"|g' /etc/tomcat/server.xml
24
25 systemctl restart tomcat
26
27fi
28
29
30
31# Check the current cipher suite configuration on the client
32
33current_client_cipher_suite=$(grep -i sslprotocol /etc/httpd/conf.d/ssl.conf)
34
35
36
37# If the current client cipher suite is not the same as the desired one, update the client configuration
38
39if [[ $current_client_cipher_suite != *$client_cipher_suite* ]]; then
40
41 sed -i 's|.*SSLCipherSuite .*| SSLCipherSuite $client_cipher_suite|g' /etc/httpd/conf.d/ssl.conf
42
43 systemctl restart httpd
44
45fi

Learn more

Related Runbooks

Check out these related runbooks to help you debug and resolve similar issues.