Hi,
I really need to read up on https clients.
The referencec example written in python is using SSL23 and so did the
sample https client I wrote in c++ using POCO library. I found the
setting to switch to TSL1.x and now I can use tomcat 7.0.70 without
enabling the SSLv2Hello protocol.
Thanks for the help about removing the need to use SSLv2Hello.
/Magnus
On 2016-09-28 08:20, Persson, Magnus (SE-TLX) wrote:
> Hi Chris,
>
> The java servlet (in webapps folder) was written by a consultant and I
> have only looked at parts of the source code and don't know all that it
> does.
>
> The purpose is to give external integrators a way in to our software
> through a REST API.
> We have made a reference client in python that connects, creates a
> session and can send POST, GET, DELETE, etc.
>
> This sample client will get this 'hello' ssl error with tomcat versions
> greater than 7.0.68.
> I have also tested a client in c++ that uses the POCO library. Same
> hello error.
>
> Since we have only specified the TLSv1.x protocols in the tomcat config
> I assume the initial hello request is encapsulated in an SSL2 frame by
> one of the TLSv1.x protocols.
> The purpose of adding TLSv2Hello was to allow this initial hello request.
>
> If the problem is the java servlet I'd like to correct it to not
> encapsulate the hello request in an SSLv2/SSLv3 frame. Could this be the
> problem or is it in the calling client?
>
> /Magnus
>
> On 2016-09-27 23:07, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Magnus,
>>
>> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>>> We started out with tomcat 7.0.35 and got that running with our
>>> REST servlet.
>>>
>>> When we upgraded to tomcat 7.0.63 we got this error when we tried
>>> to create a new session:
>>>
>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>> This is an error message from OpenSSL. Is this the client that is
>> choking, or the server?
>>
>>> Through Google we found out that we needed to add "SSLv2Hello" to
>>> the enabled protocols so we changed our connector in server.xml
>>> like this (only added SSLv2Hello):
>>>
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> keystoreFile="${catalina.base}/conf/keystore" keystorePass="*"
>>> clientAuth="false" sslProtocol="TLS"
>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>>> URIEncoding="UTF-8" />
>>>
>>> We upgraded to tomcat 7.0.68 and it works fine with above connector
>>> in server.xml
>> Do you absolutely need to accept SSLv2Hello-formatted handshakes? Most
>> of the web has abandoned SSLv3 and below at this point, so SSLv2Hello
>> should no longer be necessary.
>>
>>> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
>>> though we have SSLv2Hello in the enabled protocols:
>>>
>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>>>
>>> What do we need to change in the server.xml file to bypass the ssl3
>>> error this time?
>> That depends upon where you are actually getting that error.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJX6t91AAoJEBzwKT+lPKRY43sP/ifrnLyy+DMjCYPcyLN3TnMQ
>> Lym9MvabvQmBOeq7+513h9Bpo6qKrr2cAzRIeWT1fOmr+b+jULjnpwh+iFEHvn7B
>> 2lhPUv0afrUyjtb8aCNqOvCCmC2qrv8mbHfQvZwVOaI6LXImu4w7Xdg9TumMx6uo
>> qTNMcU58x9vEnvG56ufIVUBewQlb0HOXs7PzsPEFYNp0G3nQ6iIh5MCIByYUwKbz
>> f/2I4t2mcHVCz1kKtQd1nLC3xen/fa2MhXpzBqOcdr3jAEs8LU3mqohqrou1vX3a
>> iPKpo3pNfMRrq3PRm+agh/M4r88dFy46kaHUnFLKfqhXxqSv9uxdUMWU+7vf7jn1
>> PWIs4WZmu0Ub+oIkHFkuHH0+BpwSIHtlRMrvnMZ6mgFOw9QTKltxE1eCtcKcBGN1
>> eGIbH5rD2O1pIg8yKYpoyLkh/nEL6C+nXoX790sNu9bl2mr6YQzkkjx9D0o+CVzw
>> fGs1s1+ALKRyJVXOubs8Ax/I6jIc9FzMYuWuHI+TGyysr4nxVViHi1abUdkXLhZ7
>> eSwprviAlGsAsxMb5l4JjR09xCl0PoSqs8MZ4TIrczLnTTMGTd8NdlyI9I3sVUA+
>> 4gsjp0BBqjCMb0cmpC/D8es127AbG4TrwHo5rdE/f172dCx2ib+P1ERqp2V0pRcb
>> Xl8RIedkqiBvwpzihW2f
>> =9GVJ
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>>
>>
>> ----------------------------------------------------------------------------------------------
>> This E-mail is PLAIN text, not support HTML, see instruction below on how to
>> report SPAM.
>> -----------------------------------------------------------------------------------------------
>> To submit spam as an attachment to an email message using a mail client:
>> 1. Open a new email message.
>> 2. Drag the spam email from the Inbox into the new email message.
>> 3. Enter a...@websense.com in the To field.
>> 4. Click Send.
>> -----------------------------------------------------------------------------------------------
