> From: mgai...@hotmail.com
> To: users@tomcat.apache.org
> Subject: RE: ssl_error_internal_error_alert in tomcat 7
> Date: Thu, 19 Dec 2013 20:01:49 -0500
>
>
>
>
> > Date: Thu, 19 Dec 2013 15:41:13 -0500
> > From: ch...@christopherschultz.net
> > To: users@tomcat.apache.org
> > Subject: Re: ssl_error_internal_error_alert in tomcat 7
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Jaya,
> >
> > On 12/19/13, 2:54 PM, jaya ravindran wrote:
> > > I am getting SSL error in firefox when connecting to tomcat
> > > server. Apache Tomcat Version 7.0.22 using JSSE configuration
> >
> > You should really upgrade from your 2-year-old version. Tomcat 7 is on
> > version 7.0.47 these days. It's possible something has been fixed.
> > JR> Cannot upgrade right now.
> > > java version "1.6.0_41" using 64 bit . IE and Chrome works fine
> > > although I can see the following message in Chrome . The connection
> > > users SSL 3.0 When I edit firefox and set
> > > security.tls.version.max=0, I can get connection. My ssl config is
> > > below.
> MG>security.tls.version.min = 0 (SSL 3.0);
> JR> I want to use TSL 1.0 connections . security.tls.version.max=1 and
> security.tls.version.min = 0 is default setting in firefox. That means it
> should support both TSL 1.0 and SSL 3.0 right ?
> >
> > Do you have any non-default setting for security.enable_ssl3 or
> > security.enable_tls?
JR> No
> >
> > > Can anyone suggest some possible reasons for this error?
> > >
> > > <Connector port="8443"
> > > protocol="org.apache.coyote.http11.Http11Protocol"
> > > SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> > > sslProtocol="TLS" keystoreFile="my.keystore"
> MG>sslProtocol="SSLv3"
>
> > > keystorePass="acdfv123" truststoreFile="my.keystore"
> > > truststorePass="acdfv123" connectionTimeout="20000"
> > > redirectPort="18443" maxThreads="150" maxSpareThreads="75"
> > > enableLookups="false" acceptCount="100"
> > > disableUploadTimeout="true" URIEncoding="UTF-8" server="Apache" />
> >
> > Can you try using OpenSSL's s_client with various options (for TLS
> > protocol) to see which ones do and do not work?
> > JR> I tried with OpenSSL's s_client and got following
No client certificate CA names sent
---
SSL handshake has read 1166 bytes and written 303 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1023 bit
Secure Renegotiation IS supported
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 52B463FFE2D5638DE0E2AE86EE9AFB0DBD6F6DB4E042C411148491D76D8A4B09
Session-ID-ctx:
Master-Key:
4AE6604C872A681708E872C970E4D3BADCE22701A2BE5E43110D0F99C86CA6A04313B3381E914A9BA460849C2C60C7F8
Key-Arg : None
Start Time: 1387553791
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
closed
That means server can do TLSv1. Then why can't it connect with TLS protocol on
browsers.
> > - -chris
>
> MG>https://support.mozilla.org/en-US/questions/963325
> JR> Thanks for the answers. I would have posted in firefox forums of I was
> able to make TLS 1.0 conenction with chrome. But chrome says the connection
> is SSL 3.0.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.15 (Darwin)
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBCAAGBQJSs1nnAAoJEBzwKT+lPKRYjaUP/2wwh/XACKSsPtFViWxz+78m
> > aXOos8dB60Sx8czBsFfDsIzFfBdvCOEzmLl5ZlOUi7EyV8F+qwh6mG/x73vUIdrb
> > LcLQlrYUJaDg8XXHMSRa5icATBE3sZQVITgDUUkF1dp0uyUoQmE/HLnZ3HZfIOA3
> > UQbHb/f7N5CHpb9LQ82YUlSRZ6v+feqsBEg0BPg4tf1x9eHEcf6xPUu6sCdzcdXC
> > 01cpS2/5v8hyo2QmeG6shM+JBJoFAFKLisJrhVuSmFUMWLxqt9MykGlvkf/sfZIQ
> > klSuCbQ74dxYS5OhcP3ipqD3nb7t3C93qRSZBqSGI8PZtWntwEZqTrR+obTxB3CZ
> > H/nzKCupV+9s1NrHNO8q6fQ0UCrPCucwJS6WM9nIEczu5miMxpdb+mj8Qmj6dpYn
> > 3b4IeLn4qfAk9FNGHuiiL4y87uMkR2+617+2L3VI2f/N/E2Y4bf0zeb7Du5UhuGn
> > FxXLRjaNDIPj1yeJHqz7DiuArSv9eZwG1xWAWfBQIVwux+Vm4OCgjph52vGYp2n1
> > Y7Iht9/xb1qVxw1KUVeU+qevTszBYnf9V2UM6LPxBzZQwuBkXhZwOYIdRPC/CVn6
> > +U4+xf2/3IDpale2eO/453+0f2Zy7aApPKXPvgoAcy68jYBbxuSpL0gEQk1BIGhV
> > y94bWDTJiTu9AIy0tiyj
> > =KaW9
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
