George, I'm not sure we can find any solution, but can we have a look at a pcap capture ? Esmond Pitt was posting sometimes, that would be a challenge for him.
2015-10-15 4:33 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net> : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Aurélien, > > On 10/14/15 5:59 PM, Aurélien Terrestris wrote: > > Still no solutions, I suppose.. > > > > Did you enable the SSLv2 Hello as suggested by Chris, and what's > > the result ? I tested a small client with Java 8, by adding > > -Djdk.tls.client.protocols="SSLv2Hello,TLSv1.2" at the command > > line, and I get my SSLv2 Hello. > > It looks like if you add SSLv2Hello to the list of protocols you'll > accept, you'll get an SSLv2Hello in there (abridged output): > > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > ... > main, WRITE: TLSv1.2 Handshake, length = 221 > main, WRITE: SSLv2 client hello message, length = 140 > main, READ: TLSv1.2 Handshake, length = 81 > main, READ: TLSv1.2 Handshake, length = 2779 > main, READ: TLSv1.2 Handshake, length = 589 > main, READ: TLSv1.2 Handshake, length = 4 > main, WRITE: TLSv1.2 Handshake, length = 70 > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 > main, WRITE: TLSv1.2 Handshake, length = 40 > main, READ: TLSv1.2 Change Cipher Spec, length = 1 > main, READ: TLSv1.2 Handshake, length = 40 > > You just have to use a custom SSLSocketFactory that sets the protocols > you want to enable on the (client) socket. If one of the protocols you > use is "SSLv2Hello". > > Oddly enough, when *not* specifying SSLv2Hello, you'll get this > (abridged output): > > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > ... > main, WRITE: TLSv1.2 Handshake, length = 221 > main, READ: TLSv1.2 Handshake, length = 89 > main, READ: TLSv1.2 Handshake, length = 2779 > main, READ: TLSv1.2 Handshake, length = 589 > main, READ: TLSv1.2 Handshake, length = 4 > main, WRITE: TLSv1.2 Handshake, length = 70 > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 > main, WRITE: TLSv1.2 Handshake, length = 40 > main, READ: TLSv1.2 Change Cipher Spec, length = 1 > main, READ: TLSv1.2 Handshake, length = 40 > > When the SSLv2Hello "protocol" isn't enabled, you don't get the "main, > WRITE" and "main, READ" > > Note that I'm not trying anything with a client certificate, here. I > hope that helps somewhat. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJWHxCIAAoJEBzwKT+lPKRYCNQQAMJx3cHj3Rl8ieX+2cANmXfW > fHr0MPkHNIcbzpX5WWJaEqfhnYqQTk9TiY7rKxwjo3OtJtEG1bkm9tqeq4pzHJcX > oQ03/wMOKrNqqGoILcpdWgRpc0jylsx1GouJ2qmmCNvZO1fBdBhtAE49dvg4Hd+c > uOzet5CizkTIfbu/i2Rb/szC9T/mopvicOsoS7oe1EE7sJZKL4BU3ayun5KvFXvr > 0KbDRU0Btp3M0YcPP4R2MtExYROW9pwwb5UYJdmK8ZxHAsmhJsG8DzDQnywFEx3+ > cm2e0W5v5FMAAh3PBNqfl5VN/8uIlHkeLtCjDU0JCMCfguwTQbitPpyhatnRlE7z > K8FfdZUC2zBprX1HnJl5aT02u3STzRsyL5DWlVAKPC/OAUEYFO26Ira1K86ACpww > O7t6phwHfXdGIkT/GdT9i2DgGippj6/mAhgq6XUsAkVr9usK33pNP8q/jf/ORwq/ > Njf4d4vjRNw3W7UZ0w0NCgZ7dKdepC/x2sT6zugQugiLNQ+gHGQWfcOhrQsRsj8f > qHGU1E+94g5oQCqb14KWoZv8bAA2WYAqgUK3DK2icsiCEFqWd6Yb6gYcvIGsbV9t > g+Mtxfm5qjncCwHeyONd3uBWTjakZb7fIvk4di0pZcnZB7HFYx7/r0ndS+IRzUVS > LJxWiHhKQZ32QvVKtBxe > =zKZ4 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >