-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tadeusz,
On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote: > I'm in the process of upgrading our Tomcat servers to Tomcat 7 > (7.0.57). I'm also trying to use the APR connector (TC-Native > 1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM > 10.2.1) that uses an HTTP health monitor to mark nodes up/down. > > Prior to updating to the APR connector, I was using NIO, with > SSLv3 disabled, and the health monitor worked properly: > > sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" > > The SSLv2Hello is necessary, as the F5 health monitor uses this and > there's apparently no way to force TLS with the version that we're > on (when I don't explicitly include it, the health monitor fails). > There are also possibly some legacy applications that would be > using the pseudo-protocol as well. > > When trying to use the APR connector (with SSLv3 being disabled), > the health monitor fails to connect. Some troubleshooting with > OpenSSL (0.9.8x) indicated that I need to force a connection with > "-tls1" in order for it to connect (see my post at stackoverflow: > http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403 > > ). > > I'm assuming the issue is because SSLv2Hello is disabled with the > APR connector... is there any way to explicitly enable is, as I do > in the NIO connector? What does your APR connector configuration look like? From your SO post it looks like you have "TLSv1" only. What if you try "all" (the default)? This will include only TLS protocols when using Tomcat 7.0.57 or later with tcnative 1.1.32 or later (and not SSL) but it looks like OpenSSL might use SSLv2hello when there is more than one protocol supported. Your other option is to simply re-enable SSLv3 on the Tomcat server and use your firewall to prevent anyone from connecting except for your load-balancer (which, presumably, you trust). SSLv3 is only risky when you don't trust your clients. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUihRjAAoJEBzwKT+lPKRYPXgP+wXY1FshX5CbS7MREsSCXW3L JijWrldOTzN/jWEmmMOKEmJ1ff3SXjUPR2z5o5lTT5fGRBb190f4hOxWLqJke48d 1GJTmufQfYBGHZ/Bp43G/3WqwtsvqqznOUWzajcN/Vt+HWMbmRT3u5V/ApTAC+I/ uhzSjj07QvfU27pK/fFzgMZsN9InPoV5uibnUUhabu+6xtkk4gLYxi2LKRJjlM0j HX7SQ0cnqpOxjqMDmQLVyaMLDI80e1XYGdtkEDnYYQQApe7eHHIyk9QrrEoNufpJ VMuX/A7sX1f/kHvUQSey16YTBW/ujPFCjGG/j7Te32f4sHTE5eB1RdTdqpinlu5g +2Ltm0t8tuczHsqogFB4+5M78jNcNCKBr3Gpq1CpxUdib3gmsTg9PRVOCIYQ6AiB WtDfxIdIO4FV2fTyDTlk3jAx1SdwCe8ELmnjXd8wOzvWPDH4HbjLFu96oFcqjWsK DB3psjBGTMzeVnAct46N7CZwLCFhziEaPyA+nBKdMCVQineVNxozT9h6fB5pykJ3 5AxlJa756fdi/zm5CDKDKWsTP/OeFllUA82rFeJX3ugjsBt+crKIToI1d8oDuglA 7aYVdvgiMKemutAaY4S4QTREdtbCtKjYgbKr0Ur9s88iKPVQ1IANawiUDLsSWT5n aJw4LYHfurebFe+vOwez =sz1Q -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
