Chirag, On 10.10.2013 6:19, Chirag Dewan wrote:
A small update. The customers client is C++ client,which uses OpenSSL. And I found that client hello message is SSLv2 protocol. And the server response(server hello) is a TLSv1 protocol. Is there something I am missing?
There is a difference in SSLv2 protocol and SSLv2Hello pseudo-protocol. SSLv2 is basically broken (although a lot of badly configured servers still support it).
SSLv3, and TLS protocol specifications allow that handshake happens in SSLv2 format, and then to immediately switch to SSLv3 or TLS. This is also known as SSLv2Hello pseudo-protocol. It is done for compatibility reasons, and it is considered relatively safe. It is what you are observing, and is perfectly normal.
In Tomcat you may specify which exact protocols to use, by setting "sslEnabledProtocols" attribute on HTTP connector (Tomcat 7/8 and Tomcat 6.0.38+), or undocumented "protocols" attribute (versions prior to 6.0.38). Those attributes may take one or more of the following values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello. Of course, it is recommended not to use "SSLv2", but you may use "SSLv2Hello" (among others), to ensure compatibility.
Note that aforementioned attributes are somehow related to attribute "sslProtocol", which, by itself selects a group of enabled protocols.
-Ognjen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
