-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tadeusz,
On 12/12/14 1:09 PM, Sacilowski, Tadeusz wrote: > I was using SSLProtocol="TLSv1" explicitly. However, when I > switched to "all" the health monitor kicked back in. Interestingly > though, I decided to switch it back to my original APR > configuration (the one that was giving me issues with the health > monitor in the first place) and the monitor continued to work. Not > sure why it's working now but I'm leaving my APR connector with > SSLProtocol="all" since that's what seemed to resolve my issue. Assuming that you have OpenSSL 1.0+, you'll want to be able to support TLSv1, TLSv1.1, and TLSv1.2, though I suppose if it's just for communication between your load-balancer and your Tomcat nodes, it's probably not critical that you be able to support the very latest in TLS protocol. Good luck, - -chris > On Thu, Dec 11, 2014 at 5:02 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Tadeusz, > > On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote: >>>> I'm in the process of upgrading our Tomcat servers to Tomcat >>>> 7 (7.0.57). I'm also trying to use the APR connector >>>> (TC-Native 1.1.32) for SSL. The servers sit behind an F5 load >>>> balancer (LTM 10.2.1) that uses an HTTP health monitor to >>>> mark nodes up/down. >>>> >>>> Prior to updating to the APR connector, I was using NIO, >>>> with SSLv3 disabled, and the health monitor worked properly: >>>> >>>> sslProtocol="TLS" >>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" >>>> >>>> The SSLv2Hello is necessary, as the F5 health monitor uses >>>> this and there's apparently no way to force TLS with the >>>> version that we're on (when I don't explicitly include it, >>>> the health monitor fails). There are also possibly some >>>> legacy applications that would be using the pseudo-protocol >>>> as well. >>>> >>>> When trying to use the APR connector (with SSLv3 being >>>> disabled), the health monitor fails to connect. Some >>>> troubleshooting with OpenSSL (0.9.8x) indicated that I need >>>> to force a connection with "-tls1" in order for it to connect >>>> (see my post at stackoverflow: >>>> > http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403 >>>> >>>> > > ). >>>> >>>> I'm assuming the issue is because SSLv2Hello is disabled with >>>> the APR connector... is there any way to explicitly enable >>>> is, as I do in the NIO connector? > > What does your APR connector configuration look like? From your SO > post it looks like you have "TLSv1" only. What if you try "all" > (the default)? This will include only TLS protocols when using > Tomcat 7.0.57 or later with tcnative 1.1.32 or later (and not SSL) > but it looks like OpenSSL might use SSLv2hello when there is more > than one protocol supported. > > Your other option is to simply re-enable SSLv3 on the Tomcat > server and use your firewall to prevent anyone from connecting > except for your load-balancer (which, presumably, you trust). SSLv3 > is only risky when you don't trust your clients. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUi0IVAAoJEBzwKT+lPKRYw0YP/RT4OS7qTq0W3inkfem8ELyU XIkUrmSpiK4EbSmEskXXH6I9bJUkj8momfMbsEVBncKPMHD2FT98+Atw/tQfKGtN QmzDsqgSdcY5L2XaZ5XHRHql3/QliTQRG5ykfc0cdE+YErtGcuehkgcr52cowXTc hrqnHMJshXP8DPwkJA4HV6FUsO3icL22z+XBvqc8LCnoHNWBH5DIpV62Pn5XlSO3 lyrluagPMcEtWaEUNsc05oNtOYIYSO6Ll8KLjO/QNKty9o0TcP8v1cLaFMakWwS1 +ok8C2huaisHM4byg3o1WU9Qh21kUz/BoNu48l61nv7H4pDfeBDSxkIfglX5co53 QvxTIRpShn0N4S+lxtGfx5qydbsawE8OfyZIgNTeyHWw4Kahi1sy6NqdEwq63sZJ 2tejSyBNR08n9VCkX29zeks/zm+1TPM5KCssRqxyWHqDznRUfySUrB2oKlGVNKnn FMaqHTJVaY6SwuGB0CiOBECEFT010XggBY7XgJ3Un/98yR/IV0OgsLSz7VYGAKob wfsPnBNaBXyXlHCumEq1M4MhOv/3M3LVtw+z6PNJ/+dCOW+19PQGddXpHhpPowvL XwATOrPxRhE+lFrbccteqatDH/rpJomtRT5xHruJnEtXUL2H+ZaHljrWhwk3VryL kqrm5Onk60QFsAvmg6td =6SEw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org