Error during SSL Handshake with remote server
Solution 1
The comment by MK pointed me in the right direction.
In the case of Apache 2.4 and up, there are different defaults and a new directive.
I am running Apache 2.4.6, and I had to add the following directives to get it working:
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
Solution 2
I have 2 servers setup on docker, reverse proxy & web server. This error started happening for all my websites all of a sudden after 1 year. When setting up earlier, I generated a self signed certificate on the web server.
So, I had to generate the SSL certificate again and it started working...
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ssl.key -out ssl.crt
Solution 3
Faced the same problem as OP:
- Tomcat returned response when accessing directly via SOAP UI
- Didn't load html files
- When used Apache properties mentioned by the previous answer, web-page appeared but AngularJS couldn't get HTTP response
Tomcat SSL certificate was expired while a browser showed it as secure - Apache certificate was far from expiration. Updating Tomcat KeyStore file solved the problem.
Solution 4
On a remote OEL (Oracle Enterprise Linux) 7.8 server, i have a backend web application running with HTTPS/8009. As its a third party app, I did not have choice to disable SSL or change port.
As i needed to access the web app from my local machine's browser, i thought of setting up a reverse proxy (HTTP to HTTPS mapping) using Apache httpd. Now i can access the web app from my local browser through below URL:
http://10.157.146.97:1234/
FYI, CURL commands working inside the Linux Machine were below ones:
curl http://10.157.146.97:1234/
curl -k https://localhost:8009/
Here is my reverse proxy setup :
/etc/httpd/conf/httpd.conf
Listen 1234
<VirtualHost *:1234>
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyPass / https://localhost:8009/
ProxyPassReverse / https://localhost:8009/
</VirtualHost>
One aspect i struggled a lot, earlier i was trying with url pattern (/sample) in ProxyPass/ProxyPassReverse but that was causing HTTP 404 (not found) for css/js files as web-app's welcome page contains indirect css/js paths (sample code below). So replacing url pattern (/sample) with (/) solved that problem too.
previous Not working config:
ProxyPass /sample https://localhost:8009/
ProxyPassReverse /sample https://localhost:8009/
<script defer src="abc.js"></script><link href="xyz.css" rel="stylesheet"></head>
Solution 5
Note that the error might also occur when your system have TLSv1 disabled. Like e.g Ubuntu 20.x have TLSv1.0 disabled by default. For example if you have something like this:
Apache 2.4.41 on Ubutntu20 (proxy) --[https]--> old Apache serving TLS v1.0
SSLProxyVerify
etc will not help you.
What you need to do is to enable TLS 1.0 in openssl.conf
. At least until you can update the old server 🙊...
Enabling old TLS on Ubuntu
So in Ubuntu 20.04.3 TLS to effectively enable TLSv1 change /etc/ssl/openssl.cnf
. At the top of the file (before any sections) add:
# Added to enable TLS1.0
openssl_conf = default_conf
And on the very end of the file
##
# Added to enable TLS1.0
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
##
Comments are obviously not required 😉, but will help when you want to disable TLS1 again.
Once you restart / reboot everything should work fine.
Note that this is a global (system-wide) change. So it is not ideal, but it just works. See also: more notes about Ubuntu and default TLS versions.
user2791481
Updated on July 08, 2022Comments
-
user2791481 almost 2 years
I have
Apache2
(listening on 443) and a web app running onTomcat7
(listening on 8443) onUbuntu
.I set apache2 as reverse proxy so that I access the web app through port 443 instead of 8443. Besides, I need to have SSL communication not only between browser and apache2 but also between apache2 and tomcat7, thus I set SSL on both apache2 and tomcat7. If I try to access the web app by directly contacting tomcat7, everything is fine. The problem is that when I try to access the tomcat's web app through apache2 (reverse proxy), on the browser appears the error:
Proxy Error The proxy server could not handle the request GET /web_app. Reason: Error during SSL Handshake with remote server
-
MK. over 10 yearsApache does not truest the certificate you have installed on the tomcat. Is it a self-signed cert? Or is it made by an in-house CA?
-
user2791481 over 10 yearsIt is self signed with this command: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
-
MK. over 10 yearsserverfault.com/questions/356678/… I think this is what you want: SSLProxyVerify none SSLProxyCheckPeerCN off
-
ndbroadbent over 10 yearsBetter to set
SSLProxyCACertificateFile
to your private CA certicate, instead of just turning off verification. -
HybrisHelp about 6 yearsas explained in this blog you can turn off the SSL checks.
-
-
bgStack15 almost 9 yearsSo this turns off the protection, but as long as the traffic is local (i.e., 127.0.0.1:8443) it should be less of a problem, right?
-
mydoghasworms almost 9 yearsWell, it doesn't turn off the protection inasmuch encryption is concerned. The traffic is still encrypted. This just disables the checking of the cert to make sure it is by a trusted authority. So if you trust the server, you should not have a problem. But yes, for local traffic I think you are fine too.
-
JRichardsz almost 8 yearsThanks mydoghasworms. Your directives works in Server version: Apache/2.4.6 .If someone needs to know the version of httpd , use this : httpd -V
-
copeland3300 over 3 yearsI just ran into an AH01097 error on Apache 2.4.29, so some what similar to the original issue. I added all of the above to my
/etc/apache2/apache2.conf
file, and worked my way through them to see which made a difference. In my case,SSLProxyCheckPeerExpire off
was what allowed the handshake to finally succeed. -
nirmalsingh over 2 yearsThis helped me to setup my HTTP to HTTPS mapping reverse proxy. Please refer my detailed note in answers below as comments has a character limit to it.
-
Piotr P. Karwasz over 2 yearsThere are a couple of problems with your solution: 1. you are not changing the protocol settings, but the list of ciphersuites (
MinProtocol
andMaxProtocol
changes the protocols), 2. you are changing the default configuration of all software using OpenSSL, not just the settings of the proxy connection, 3. most software (including Apache2) always override these default settings. For Apache2 see theSSLProxyProtocol
directive. -
Nux over 2 yearsWell when I upgraded from Ubuntu 18 to 20 this worked out of the box. And I didn't have to change anything in my Apache conf. And also
curl
started to work (and before this change it reported "unsuported protocol"). So it does change supported protocol versions. But yes, you are right that the change is global. -
Nux over 2 yearsI checked and I have default settings for proxy protocol so
SSLProxyProtocol all -SSLv3
so that would include TLS1.0. And still connecting to tls1 server didn't work from Ubuntu 20. -
Piotr P. Karwasz over 2 yearsI wrongly assumed Ubuntu's and Debian's
openssl
packages are in sync. Whereas Debian chose to add aMinProtocol
default toopenssl.cnf
, Ubuntu chose a more drastic solution and hardcoded a minimum version of 1.2 into security level 2.