-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Deepak,
On 2/25/15 1:49 AM, dku...@ccilindia.co.in wrote: >> Perhaps you disabled SSLv3 and a client is trying to connect >> using SSLv3? > > We agree with your above statement. We have disabled SSLv3 on > Tomcat server and our client is an exe which sends request using > below code. (What's an "exe"?) > URL server = new URL(url); jprogress.setValue(11); final String > hostvar = ip; HttpsURLConnection.setDefaultHostnameVerifier(new > HostnameVerifier() { public boolean verify(String hostname, > SSLSession session) { if (hostname.equals(hostvar)) { return true; > } else { return false; } } }); Note that the above is roughly equivalent to the default hostname verifier. Why are you bothering with that? > try{ HttpsURLConnection con = (HttpsURLConnection) > server.openConnection(); jprogress.setValue(14); > con.setConnectTimeout(90000000); That is a *very* long timeout. Why? > con.setDoOutput(true); con.setUseCaches(false); > con.setReadTimeout(60000); That's a pretty long timeout, too. Who wants to wait 60 seconds for a byte of data? > jprogress.setValue(16); > > We are unable to find at which point the client exe uses either TLS > or SSLv3 to send request to the server. It will depend upon the URL being passed-into the URL constructor: URL.openConnection will determine which protocol to use. > Also we find that client exe works fine in other machines. We want > to know if this is system specific or java specific. This is a combination of the two. If you want to force the client to use a different protocol (e.g. TLSv1 versus SSLv3), you need to tell HttpsURLConnection to use a different socket factory. Something like this: String protocol = ...; // "SSL" or "TLS" String[] sslEnabledProtocols = ...; // whatever specific protocols you want to support, like SSLv3, SSLv2hello, TLSv1.1, etc. String[] sslCipherSuites = ...; // Whatever SSL cipher suites you want to support TrustManager[] tms = ...; // Whatever trust managers you want to use Random random = new SecureRandom(); SSLContext sc = SSLContext.getInstance(protocol); sc.init(null, tms, random); SSLSocketFactory sf = sc.getSocketFactory(); if(null != sslEnabledProtocols || null != sslCipherSuites) sf = new CustomSSLSocketFactory(sf, sslEnabledProtocols, sslCipherSuites); HttpsURLConnection.setDefaultSSLSocketFactory(sf); You'll also need this: public static class CustomSSLSocketFactory extends javax.net.ssl.SSLSocketFactory { private final String[] _sslEnabledProtocols; private final String[] _sslCipherSuites; private final SSLSocketFactory _base; public CustomSSLSocketFactory(SSLSocketFactory base, String[] sslEnabledProtocols, String[] sslCipherSuites) { _base = base; if(null == sslEnabledProtocols) _sslEnabledProtocols = null; else _sslEnabledProtocols = sslEnabledProtocols.clone(); if(null == sslCipherSuites || 0 == sslCipherSuites.length) _sslCipherSuites = getDefaultCipherSuites(); else if(1 == sslCipherSuites.length && "ALL".equalsIgnoreCase(sslCipherSuites[0])) _sslCipherSuites = getSupportedCipherSuites(); else _sslCipherSuites = sslCipherSuites.clone(); } public String[] getDefaultCipherSuites() { return _base.getDefaultCipherSuites(); } public String[] getSupportedCipherSuites() { return _base.getSupportedCipherSuites(); } private SSLSocket customize(Socket s) { SSLSocket socket = (SSLSocket)s; if(null != _sslEnabledProtocols) socket.setEnabledProtocols(_sslEnabledProtocols); socket.setEnabledCipherSuites(_sslCipherSuites); return socket; } @Override public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { return customize(_base.createSocket(s, host, port, autoClose)); } @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { return customize(_base.createSocket(host, port)); } @Override public Socket createSocket(InetAddress host, int port) throws IOException { return customize(_base.createSocket(host, port)); } @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return customize(_base.createSocket(host, port, localHost, localPort)); } @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { return customize(_base.createSocket(address, port, localAddress, localPort)); } } I'm not sure how (or even if) you can have Java attempt to connect with SSLv3 and then re-try with TLS. I would imagine that's built-into the code. It would be foolish if it weren't available. But, it's possible that a handshake is not possible, especially if there is an old version of Java being used by the client. I don't believe Java 6 for example supports TLSv1.1 and TLSv1.2. So, if your server is configured to only allow those protocols, you will never be able to establish a handshake with a Java6-based client. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU70uuAAoJEBzwKT+lPKRYP/wP/Ras88Af6qTYNK5VsB4bcdet vGjBr+fsbbD1HuG+VLSbX03xg7X5cW3JfZgjGOgevdjygmHS8LkyunFJnUe5x6xe GK97Lz4O7RUR26HwJnNwtAwYDaccln7o8xTg2aOa/z4j/7DuXACCgHckpGvyh4aT Yk016fQbGXRtK+fXKr0VvGRVkkL7OzIN83Kq2TtV7Je6aZE91s1PHchzNTtnnRvu yfrWRZmtCUQg/nCJ990l86DePvn7ewWoYwbDJ5rrtOi1MtND6m10pHBmDr6TLHfD R7h/bUFzDmoHF8YPVZR89K5G57mU9eIBB8WbgPXCnFNnZowUw+z+fg9DFXMyag5s yUBu9u5feGgOeE7BM+X162d0605uWuKy/HsJ/T7FuOwjiGcS2350c8FSfkZ9qCH8 Eb9gHqZydku/3N9Fub2oWSrAMMKFVBBfnUr1L63mI7VMN24A+k27tXmjzR7QERr5 Hu8HatEy1qW3D3sKD0gOWkGlO2TA3CdKHns1Ci8Ueu2U7DnxU3fGnXkVm/MYWpOR sPIZueio7pE0rPkXaMfY23K6qMGDMxJfBwDcZkACyfoxWSrfQ8UIRu+8Or5JWnHR XfXGXq1D8K6Fx1gx0ZSJnuO4wDE7oC1X1Irupzq2aqIT9WpuQDzx+hSNwcJ+0sB4 Cbqx+Oh1YcsJHlinv032 =canw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org