RE: Weirdness with our Tomcat webapp, at only one customer

James,
I'm no Java expert. Just speaking on protocols I would find out the list of protocols accepted by googleapis. Then I would remove as many obsolete protocols you attempt to connect with.

Some references
https://www-01.ibm.com/support/docview.wss?uid=nas8N1020876
https://developer.ibm.com/answers/questions/242997/how-to-configure-websphere-application-server-to-u/
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support

If you're running IBM i 7.1 or older you may be in a world of hurt.

-----Original Message-----
From: JAVA400-L <java400-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of James Lampert
Sent: Friday, May 31, 2019 6:45 PM
To: Java 400 List <java400-l@xxxxxxxxxxxxxxxxxx>
Subject: Weirdness with our Tomcat webapp, at only one customer

We've got a customer with a problem. And I can't make head or tail of it.

The Tomcat-based webapp on our CRM product makes a call to maps.googleapis.com:

https://maps.googleapis.com/maps/api/geocode/json?key=<REDACTED>&addre
ss=<REDACTED>

In every other installation of the product, it works just fine, under Java 6, Java 7, and Java 8 JVMs.

But on this one customer box, it fails, throwing either

java.net.ConnectException: Failed to connect to
maps.googleapis.com/2607:f8b0:4009:807:0:0:0:200a:443

or

Unable to find acceptable protocols. isFallback=false,
modes=[ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_S
HA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_2, TLS_1_1,
TLS_1_0], supportsTlsExtensions=true),
ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_0],
supportsTlsExtensions=true), ConnectionSpec()], supported
protocols=[TLSv1]

(and which one gets thrown seems to be at random, without apparent rhyme or reason). And it's not getting thrown in our code: it's getting thrown in classes and methods belonging to something called "squareup.okhttp."

But I can ping maps.googleapis.com from their command line just fine.

I wrote a simple RPG program to send the exact same request through Scott Klement's HTTPAPI. As soon as I got it working on our box, I stuck it into a save file, and squirted it over to the customer box, where it also worked just fine.

One suggestion I got from a Tomcat List member was to try compiling and running the simple cipher list program found at

https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-6796
09085.html

If I set the same JAVA_HOME as Tomcat was launched under, and compile and run "Ciphers.java" from the above site, on the customer box, I
get:

Default Cipher
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SH
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA256
SSL_DH_anon_WITH_AES_128_GCM_SHA256
SSL_DH_anon_WITH_AES_256_CBC_SHA
SSL_DH_anon_WITH_AES_256_CBC_SHA256
SSL_DH_anon_WITH_AES_256_GCM_SHA384
SSL_DH_anon_WITH_DES_CBC_SHA
* SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_NULL_SHA
* SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
* SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
* SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_NULL_SHA
* SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_NULL_SHA
* SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
* SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
* SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
* SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_RSA_WITH_NULL_SHA
SSL_ECDH_anon_WITH_AES_128_CBC_SHA
SSL_ECDH_anon_WITH_AES_256_CBC_SHA
SSL_ECDH_anon_WITH_NULL_SHA
SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA
SSL_KRB5_WITH_DES_CBC_MD5
SSL_KRB5_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_FIPS_WITH_DES_CBC_SHA
* SSL_RSA_WITH_AES_128_CBC_SHA
* SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
* SSL_RSA_WITH_AES_256_CBC_SHA
* SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_SHA256
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV

FOR COMPARISON PURPOSES, what we get on our box is:

Default Cipher
* SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA
* SSL_DHE_DSS_WITH_DES_CBC_SHA
* SSL_DHE_DSS_WITH_RC4_128_SHA
* SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA
* SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_AES_256_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA
SSL_KRB5_EXPORT_WITH_RC4_40_MD5
SSL_KRB5_EXPORT_WITH_RC4_40_SHA
SSL_KRB5_WITH_3DES_EDE_CBC_MD5
SSL_KRB5_WITH_3DES_EDE_CBC_SHA
SSL_KRB5_WITH_DES_CBC_MD5
SSL_KRB5_WITH_DES_CBC_SHA
SSL_KRB5_WITH_RC4_128_MD5
SSL_KRB5_WITH_RC4_128_SHA
* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
* SSL_RSA_EXPORT_WITH_RC4_40_MD5
* SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
* SSL_RSA_FIPS_WITH_DES_CBC_SHA
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_RSA_WITH_AES_128_CBC_SHA
* SSL_RSA_WITH_AES_256_CBC_SHA
* SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
* SSL_RSA_WITH_RC4_128_MD5
* SSL_RSA_WITH_RC4_128_SHA

Anybody have any insights?
--
This is the Java Programming on and around the IBM i (JAVA400-L) mailing list To post a message email: JAVA400-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at https://archive.midrange.com/java400-l.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com