Chris,
On 10.10.2013 19:11, Christopher Schultz wrote:
Also, Chirag has the connector supporting only "TLS", so SSLv2 HELLO
should indeally fail entirely.
Setting attribute sslProtocol="TLS" may actually enable all protocols
from SSLv3 to TLSv1.2, plus SSLv2Hello. Even setting something like
sslProtocol="TLSv1.1" would enable the same group of protocols. Tomcat
docs clearly warns about that behavior (HTTP connector):
"sslProtocol - The the SSL protocol(s) to use (a single value may enable
multiple protocols - see the JVM documentation for details)."
If you really only want to use TLS but support SSLv2 HELLOs, it's not
entirely clear to me what setting you want here (sslEnabledProtocols),
with sslProtocol, etc. I suspect what you want is this:
sslProtocol="TLS" sslEnabledProtocols="TLS, SSLv2Hello"
Chirag, give that a try and see if your problems are solved.
That is not valid configuration. TLS is not legal value for attribute
sslEnabledProtocols, and it will be ignored. SSLv2Hello is not legal
without any other secure protocol so JSSE will throw an exception.
Something like
sslProtocol="TLS"
sslEnabledProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
would be valid config for what you propose.
It would also help to track down the cause of the problem, if Chirag
sends handshake logs of failing and successful handshake.
Also, a bit of a brainstorming now: could this whole thing be IP
protocol issue? I've seen similar behavior before, albeit not in context
of SSL handshake: client tries to connect using IPv6 address, but
firewall doesn't allow it, so client falls back to IPv4 and successfully
connects.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
