We've got a customer with a problem. And I can't make head or tail of it.

The Tomcat-based webapp on our CRM product makes a call to maps.googleapis.com:
https://maps.googleapis.com/maps/api/geocode/json?key=<REDACTED>&address=<REDACTED>

In every other installation of the product, it works just fine, under
Java 6, Java 7, and Java 8 JVMs.

But on this one customer box, it fails, throwing either
java.net.ConnectException: Failed to connect to maps.googleapis.com/2607:f8b0:4009:807:0:0:0:200a:443
or
Unable to find acceptable protocols. isFallback=false,
modes=[ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_2, TLS_1_1,
TLS_1_0], supportsTlsExtensions=true),
ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_0],
supportsTlsExtensions=true), ConnectionSpec()], supported
protocols=[TLSv1]

(and which one gets thrown seems to be at random, without apparent
rhyme or reason). And it's not getting thrown in our code: it's
getting thrown in classes and methods belonging to something called
"squareup.okhttp."

But I can ping maps.googleapis.com from their command line just fine.

I wrote a simple RPG program to send the exact same request through
Scott Klement's HTTPAPI. As soon as I got it working on our box, I
stuck it into a save file, and squirted it over to the customer box,
where it also worked just fine.

One suggestion I got from a Tomcat List member was to try compiling
and running the simple cipher list program found at
https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html

If I set the same JAVA_HOME as Tomcat was launched under, and compile
and run "Ciphers.java" from the above site, on the customer box, I
get:

Default Cipher
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SH
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA256
SSL_DH_anon_WITH_AES_128_GCM_SHA256
SSL_DH_anon_WITH_AES_256_CBC_SHA
SSL_DH_anon_WITH_AES_256_CBC_SHA256
SSL_DH_anon_WITH_AES_256_GCM_SHA384
SSL_DH_anon_WITH_DES_CBC_SHA
* SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_NULL_SHA
* SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
* SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
* SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_NULL_SHA
* SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_NULL_SHA
* SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
* SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
* SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
* SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_RSA_WITH_NULL_SHA
SSL_ECDH_anon_WITH_AES_128_CBC_SHA
SSL_ECDH_anon_WITH_AES_256_CBC_SHA
SSL_ECDH_anon_WITH_NULL_SHA
SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA
SSL_KRB5_WITH_DES_CBC_MD5
SSL_KRB5_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_FIPS_WITH_DES_CBC_SHA
* SSL_RSA_WITH_AES_128_CBC_SHA
* SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
* SSL_RSA_WITH_AES_256_CBC_SHA
* SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_SHA256
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV

FOR COMPARISON PURPOSES, what we get on our box is:
Default Cipher
* SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA
* SSL_DHE_DSS_WITH_DES_CBC_SHA
* SSL_DHE_DSS_WITH_RC4_128_SHA
* SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA
* SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_AES_256_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA
SSL_KRB5_EXPORT_WITH_RC4_40_MD5
SSL_KRB5_EXPORT_WITH_RC4_40_SHA
SSL_KRB5_WITH_3DES_EDE_CBC_MD5
SSL_KRB5_WITH_3DES_EDE_CBC_SHA
SSL_KRB5_WITH_DES_CBC_MD5
SSL_KRB5_WITH_DES_CBC_SHA
SSL_KRB5_WITH_RC4_128_MD5
SSL_KRB5_WITH_RC4_128_SHA
* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
* SSL_RSA_EXPORT_WITH_RC4_40_MD5
* SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
* SSL_RSA_FIPS_WITH_DES_CBC_SHA
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_RSA_WITH_AES_128_CBC_SHA
* SSL_RSA_WITH_AES_256_CBC_SHA
* SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
* SSL_RSA_WITH_RC4_128_MD5
* SSL_RSA_WITH_RC4_128_SHA

Anybody have any insights?

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.