> From: mgai...@hotmail.com > To: users@tomcat.apache.org > Subject: RE: ssl_error_internal_error_alert in tomcat 7 > Date: Thu, 19 Dec 2013 20:01:49 -0500 > > > > > > Date: Thu, 19 Dec 2013 15:41:13 -0500 > > From: ch...@christopherschultz.net > > To: users@tomcat.apache.org > > Subject: Re: ssl_error_internal_error_alert in tomcat 7 > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Jaya, > > > > On 12/19/13, 2:54 PM, jaya ravindran wrote: > > > I am getting SSL error in firefox when connecting to tomcat > > > server. Apache Tomcat Version 7.0.22 using JSSE configuration > > > > You should really upgrade from your 2-year-old version. Tomcat 7 is on > > version 7.0.47 these days. It's possible something has been fixed. > > JR> Cannot upgrade right now. > > > java version "1.6.0_41" using 64 bit . IE and Chrome works fine > > > although I can see the following message in Chrome . The connection > > > users SSL 3.0 When I edit firefox and set > > > security.tls.version.max=0, I can get connection. My ssl config is > > > below. > MG>security.tls.version.min = 0 (SSL 3.0); > JR> I want to use TSL 1.0 connections . security.tls.version.max=1 and > security.tls.version.min = 0 is default setting in firefox. That means it > should support both TSL 1.0 and SSL 3.0 right ? > > > > Do you have any non-default setting for security.enable_ssl3 or > > security.enable_tls?
JR> No > > > > > Can anyone suggest some possible reasons for this error? > > > > > > <Connector port="8443" > > > protocol="org.apache.coyote.http11.Http11Protocol" > > > SSLEnabled="true" scheme="https" secure="true" clientAuth="false" > > > sslProtocol="TLS" keystoreFile="my.keystore" > MG>sslProtocol="SSLv3" > > > > keystorePass="acdfv123" truststoreFile="my.keystore" > > > truststorePass="acdfv123" connectionTimeout="20000" > > > redirectPort="18443" maxThreads="150" maxSpareThreads="75" > > > enableLookups="false" acceptCount="100" > > > disableUploadTimeout="true" URIEncoding="UTF-8" server="Apache" /> > > > > Can you try using OpenSSL's s_client with various options (for TLS > > protocol) to see which ones do and do not work? > > JR> I tried with OpenSSL's s_client and got following No client certificate CA names sent --- SSL handshake has read 1166 bytes and written 303 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1023 bit Secure Renegotiation IS supported SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 52B463FFE2D5638DE0E2AE86EE9AFB0DBD6F6DB4E042C411148491D76D8A4B09 Session-ID-ctx: Master-Key: 4AE6604C872A681708E872C970E4D3BADCE22701A2BE5E43110D0F99C86CA6A04313B3381E914A9BA460849C2C60C7F8 Key-Arg : None Start Time: 1387553791 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- closed That means server can do TLSv1. Then why can't it connect with TLS protocol on browsers. > > - -chris > > MG>https://support.mozilla.org/en-US/questions/963325 > JR> Thanks for the answers. I would have posted in firefox forums of I was > able to make TLS 1.0 conenction with chrome. But chrome says the connection > is SSL 3.0. > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.15 (Darwin) > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iQIcBAEBCAAGBQJSs1nnAAoJEBzwKT+lPKRYjaUP/2wwh/XACKSsPtFViWxz+78m > > aXOos8dB60Sx8czBsFfDsIzFfBdvCOEzmLl5ZlOUi7EyV8F+qwh6mG/x73vUIdrb > > LcLQlrYUJaDg8XXHMSRa5icATBE3sZQVITgDUUkF1dp0uyUoQmE/HLnZ3HZfIOA3 > > UQbHb/f7N5CHpb9LQ82YUlSRZ6v+feqsBEg0BPg4tf1x9eHEcf6xPUu6sCdzcdXC > > 01cpS2/5v8hyo2QmeG6shM+JBJoFAFKLisJrhVuSmFUMWLxqt9MykGlvkf/sfZIQ > > klSuCbQ74dxYS5OhcP3ipqD3nb7t3C93qRSZBqSGI8PZtWntwEZqTrR+obTxB3CZ > > H/nzKCupV+9s1NrHNO8q6fQ0UCrPCucwJS6WM9nIEczu5miMxpdb+mj8Qmj6dpYn > > 3b4IeLn4qfAk9FNGHuiiL4y87uMkR2+617+2L3VI2f/N/E2Y4bf0zeb7Du5UhuGn > > FxXLRjaNDIPj1yeJHqz7DiuArSv9eZwG1xWAWfBQIVwux+Vm4OCgjph52vGYp2n1 > > Y7Iht9/xb1qVxw1KUVeU+qevTszBYnf9V2UM6LPxBzZQwuBkXhZwOYIdRPC/CVn6 > > +U4+xf2/3IDpale2eO/453+0f2Zy7aApPKXPvgoAcy68jYBbxuSpL0gEQk1BIGhV > > y94bWDTJiTu9AIy0tiyj > > =KaW9 > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > >