I was using SSLProtocol="TLSv1" explicitly. However, when I switched to "all" the health monitor kicked back in. Interestingly though, I decided to switch it back to my original APR configuration (the one that was giving me issues with the health monitor in the first place) and the monitor continued to work. Not sure why it's working now but I'm leaving my APR connector with SSLProtocol="all" since that's what seemed to resolve my issue.
Thanks! On Thu, Dec 11, 2014 at 5:02 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Tadeusz, > > On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote: > > I'm in the process of upgrading our Tomcat servers to Tomcat 7 > > (7.0.57). I'm also trying to use the APR connector (TC-Native > > 1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM > > 10.2.1) that uses an HTTP health monitor to mark nodes up/down. > > > > Prior to updating to the APR connector, I was using NIO, with > > SSLv3 disabled, and the health monitor worked properly: > > > > sslProtocol="TLS" > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" > > > > The SSLv2Hello is necessary, as the F5 health monitor uses this and > > there's apparently no way to force TLS with the version that we're > > on (when I don't explicitly include it, the health monitor fails). > > There are also possibly some legacy applications that would be > > using the pseudo-protocol as well. > > > > When trying to use the APR connector (with SSLv3 being disabled), > > the health monitor fails to connect. Some troubleshooting with > > OpenSSL (0.9.8x) indicated that I need to force a connection with > > "-tls1" in order for it to connect (see my post at stackoverflow: > > > http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403 > > > > > ). > > > > I'm assuming the issue is because SSLv2Hello is disabled with the > > APR connector... is there any way to explicitly enable is, as I do > > in the NIO connector? > > What does your APR connector configuration look like? From your SO > post it looks like you have "TLSv1" only. What if you try "all" (the > default)? This will include only TLS protocols when using Tomcat > 7.0.57 or later with tcnative 1.1.32 or later (and not SSL) but it > looks like OpenSSL might use SSLv2hello when there is more than one > protocol supported. > > Your other option is to simply re-enable SSLv3 on the Tomcat server > and use your firewall to prevent anyone from connecting except for > your load-balancer (which, presumably, you trust). SSLv3 is only risky > when you don't trust your clients. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUihRjAAoJEBzwKT+lPKRYPXgP+wXY1FshX5CbS7MREsSCXW3L > JijWrldOTzN/jWEmmMOKEmJ1ff3SXjUPR2z5o5lTT5fGRBb190f4hOxWLqJke48d > 1GJTmufQfYBGHZ/Bp43G/3WqwtsvqqznOUWzajcN/Vt+HWMbmRT3u5V/ApTAC+I/ > uhzSjj07QvfU27pK/fFzgMZsN9InPoV5uibnUUhabu+6xtkk4gLYxi2LKRJjlM0j > HX7SQ0cnqpOxjqMDmQLVyaMLDI80e1XYGdtkEDnYYQQApe7eHHIyk9QrrEoNufpJ > VMuX/A7sX1f/kHvUQSey16YTBW/ujPFCjGG/j7Te32f4sHTE5eB1RdTdqpinlu5g > +2Ltm0t8tuczHsqogFB4+5M78jNcNCKBr3Gpq1CpxUdib3gmsTg9PRVOCIYQ6AiB > WtDfxIdIO4FV2fTyDTlk3jAx1SdwCe8ELmnjXd8wOzvWPDH4HbjLFu96oFcqjWsK > DB3psjBGTMzeVnAct46N7CZwLCFhziEaPyA+nBKdMCVQineVNxozT9h6fB5pykJ3 > 5AxlJa756fdi/zm5CDKDKWsTP/OeFllUA82rFeJX3ugjsBt+crKIToI1d8oDuglA > 7aYVdvgiMKemutAaY4S4QTREdtbCtKjYgbKr0Ur9s88iKPVQ1IANawiUDLsSWT5n > aJw4LYHfurebFe+vOwez > =sz1Q > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *Tadeusz Sacilowski* *Manager, Portal & Mobile Development* Teachers College, Columbia University sacilow...@tc.columbia.edu
