-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Deepak,
On 2/25/15 1:49 AM, dku...@ccilindia.co.in wrote:
>> Perhaps you disabled SSLv3 and a client is trying to connect
>> using SSLv3?
>
> We agree with your above statement. We have disabled SSLv3 on
> Tomcat server and our client is an exe which sends request using
> below code.
(What's an "exe"?)
> URL server = new URL(url); jprogress.setValue(11); final String
> hostvar = ip; HttpsURLConnection.setDefaultHostnameVerifier(new
> HostnameVerifier() { public boolean verify(String hostname,
> SSLSession session) { if (hostname.equals(hostvar)) { return true;
> } else { return false; } } });
Note that the above is roughly equivalent to the default hostname
verifier. Why are you bothering with that?
> try{ HttpsURLConnection con = (HttpsURLConnection)
> server.openConnection(); jprogress.setValue(14);
> con.setConnectTimeout(90000000);
That is a *very* long timeout. Why?
> con.setDoOutput(true); con.setUseCaches(false);
> con.setReadTimeout(60000);
That's a pretty long timeout, too. Who wants to wait 60 seconds for a
byte of data?
> jprogress.setValue(16);
>
> We are unable to find at which point the client exe uses either TLS
> or SSLv3 to send request to the server.
It will depend upon the URL being passed-into the URL constructor:
URL.openConnection will determine which protocol to use.
> Also we find that client exe works fine in other machines. We want
> to know if this is system specific or java specific.
This is a combination of the two.
If you want to force the client to use a different protocol (e.g.
TLSv1 versus SSLv3), you need to tell HttpsURLConnection to use a
different socket factory. Something like this:
String protocol = ...; // "SSL" or "TLS"
String[] sslEnabledProtocols = ...; // whatever specific protocols you
want to support, like SSLv3, SSLv2hello, TLSv1.1, etc.
String[] sslCipherSuites = ...; // Whatever SSL cipher suites you want
to support
TrustManager[] tms = ...; // Whatever trust managers you want to use
Random random = new SecureRandom();
SSLContext sc = SSLContext.getInstance(protocol);
sc.init(null, tms, random);
SSLSocketFactory sf = sc.getSocketFactory();
if(null != sslEnabledProtocols
|| null != sslCipherSuites)
sf = new CustomSSLSocketFactory(sf,
sslEnabledProtocols,
sslCipherSuites);
HttpsURLConnection.setDefaultSSLSocketFactory(sf);
You'll also need this:
public static class CustomSSLSocketFactory
extends javax.net.ssl.SSLSocketFactory
{
private final String[] _sslEnabledProtocols;
private final String[] _sslCipherSuites;
private final SSLSocketFactory _base;
public CustomSSLSocketFactory(SSLSocketFactory base,
String[] sslEnabledProtocols,
String[] sslCipherSuites)
{
_base = base;
if(null == sslEnabledProtocols)
_sslEnabledProtocols = null;
else
_sslEnabledProtocols = sslEnabledProtocols.clone();
if(null == sslCipherSuites || 0 == sslCipherSuites.length)
_sslCipherSuites = getDefaultCipherSuites();
else if(1 == sslCipherSuites.length &&
"ALL".equalsIgnoreCase(sslCipherSuites[0]))
_sslCipherSuites = getSupportedCipherSuites();
else
_sslCipherSuites = sslCipherSuites.clone();
}
public String[] getDefaultCipherSuites() {
return _base.getDefaultCipherSuites();
}
public String[] getSupportedCipherSuites() {
return _base.getSupportedCipherSuites();
}
private SSLSocket customize(Socket s)
{
SSLSocket socket = (SSLSocket)s;
if(null != _sslEnabledProtocols)
socket.setEnabledProtocols(_sslEnabledProtocols);
socket.setEnabledCipherSuites(_sslCipherSuites);
return socket;
}
@Override
public Socket createSocket(Socket s,
String host,
int port,
boolean autoClose)
throws IOException
{
return customize(_base.createSocket(s, host, port,
autoClose));
}
@Override
public Socket createSocket(String host, int port)
throws IOException, UnknownHostException
{
return customize(_base.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress host, int port)
throws IOException
{
return customize(_base.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port,
InetAddress localHost, int localPort)
throws IOException, UnknownHostException
{
return customize(_base.createSocket(host, port, localHost,
localPort));
}
@Override
public Socket createSocket(InetAddress address, int port,
InetAddress localAddress, int
localPort)
throws IOException
{
return customize(_base.createSocket(address, port,
localAddress, localPort));
}
}
I'm not sure how (or even if) you can have Java attempt to connect
with SSLv3 and then re-try with TLS. I would imagine that's built-into
the code. It would be foolish if it weren't available.
But, it's possible that a handshake is not possible, especially if
there is an old version of Java being used by the client. I don't
believe Java 6 for example supports TLSv1.1 and TLSv1.2. So, if your
server is configured to only allow those protocols, you will never be
able to establish a handshake with a Java6-based client.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU70uuAAoJEBzwKT+lPKRYP/wP/Ras88Af6qTYNK5VsB4bcdet
vGjBr+fsbbD1HuG+VLSbX03xg7X5cW3JfZgjGOgevdjygmHS8LkyunFJnUe5x6xe
GK97Lz4O7RUR26HwJnNwtAwYDaccln7o8xTg2aOa/z4j/7DuXACCgHckpGvyh4aT
Yk016fQbGXRtK+fXKr0VvGRVkkL7OzIN83Kq2TtV7Je6aZE91s1PHchzNTtnnRvu
yfrWRZmtCUQg/nCJ990l86DePvn7ewWoYwbDJ5rrtOi1MtND6m10pHBmDr6TLHfD
R7h/bUFzDmoHF8YPVZR89K5G57mU9eIBB8WbgPXCnFNnZowUw+z+fg9DFXMyag5s
yUBu9u5feGgOeE7BM+X162d0605uWuKy/HsJ/T7FuOwjiGcS2350c8FSfkZ9qCH8
Eb9gHqZydku/3N9Fub2oWSrAMMKFVBBfnUr1L63mI7VMN24A+k27tXmjzR7QERr5
Hu8HatEy1qW3D3sKD0gOWkGlO2TA3CdKHns1Ci8Ueu2U7DnxU3fGnXkVm/MYWpOR
sPIZueio7pE0rPkXaMfY23K6qMGDMxJfBwDcZkACyfoxWSrfQ8UIRu+8Or5JWnHR
XfXGXq1D8K6Fx1gx0ZSJnuO4wDE7oC1X1Irupzq2aqIT9WpuQDzx+hSNwcJ+0sB4
Cbqx+Oh1YcsJHlinv032
=canw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
