-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aurélien,
On 10/14/15 5:59 PM, Aurélien Terrestris wrote: > Still no solutions, I suppose.. > > Did you enable the SSLv2 Hello as suggested by Chris, and what's > the result ? I tested a small client with Java 8, by adding > -Djdk.tls.client.protocols="SSLv2Hello,TLSv1.2" at the command > line, and I get my SSLv2 Hello. It looks like if you add SSLv2Hello to the list of protocols you'll accept, you'll get an SSLv2Hello in there (abridged output): Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false ... main, WRITE: TLSv1.2 Handshake, length = 221 main, WRITE: SSLv2 client hello message, length = 140 main, READ: TLSv1.2 Handshake, length = 81 main, READ: TLSv1.2 Handshake, length = 2779 main, READ: TLSv1.2 Handshake, length = 589 main, READ: TLSv1.2 Handshake, length = 4 main, WRITE: TLSv1.2 Handshake, length = 70 main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 40 You just have to use a custom SSLSocketFactory that sets the protocols you want to enable on the (client) socket. If one of the protocols you use is "SSLv2Hello". Oddly enough, when *not* specifying SSLv2Hello, you'll get this (abridged output): Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false ... main, WRITE: TLSv1.2 Handshake, length = 221 main, READ: TLSv1.2 Handshake, length = 89 main, READ: TLSv1.2 Handshake, length = 2779 main, READ: TLSv1.2 Handshake, length = 589 main, READ: TLSv1.2 Handshake, length = 4 main, WRITE: TLSv1.2 Handshake, length = 70 main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 40 When the SSLv2Hello "protocol" isn't enabled, you don't get the "main, WRITE" and "main, READ" Note that I'm not trying anything with a client certificate, here. I hope that helps somewhat. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWHxCIAAoJEBzwKT+lPKRYCNQQAMJx3cHj3Rl8ieX+2cANmXfW fHr0MPkHNIcbzpX5WWJaEqfhnYqQTk9TiY7rKxwjo3OtJtEG1bkm9tqeq4pzHJcX oQ03/wMOKrNqqGoILcpdWgRpc0jylsx1GouJ2qmmCNvZO1fBdBhtAE49dvg4Hd+c uOzet5CizkTIfbu/i2Rb/szC9T/mopvicOsoS7oe1EE7sJZKL4BU3ayun5KvFXvr 0KbDRU0Btp3M0YcPP4R2MtExYROW9pwwb5UYJdmK8ZxHAsmhJsG8DzDQnywFEx3+ cm2e0W5v5FMAAh3PBNqfl5VN/8uIlHkeLtCjDU0JCMCfguwTQbitPpyhatnRlE7z K8FfdZUC2zBprX1HnJl5aT02u3STzRsyL5DWlVAKPC/OAUEYFO26Ira1K86ACpww O7t6phwHfXdGIkT/GdT9i2DgGippj6/mAhgq6XUsAkVr9usK33pNP8q/jf/ORwq/ Njf4d4vjRNw3W7UZ0w0NCgZ7dKdepC/x2sT6zugQugiLNQ+gHGQWfcOhrQsRsj8f qHGU1E+94g5oQCqb14KWoZv8bAA2WYAqgUK3DK2icsiCEFqWd6Yb6gYcvIGsbV9t g+Mtxfm5qjncCwHeyONd3uBWTjakZb7fIvk4di0pZcnZB7HFYx7/r0ndS+IRzUVS LJxWiHhKQZ32QvVKtBxe =zKZ4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
