Hi, I really need to read up on https clients. The referencec example written in python is using SSL23 and so did the sample https client I wrote in c++ using POCO library. I found the setting to switch to TSL1.x and now I can use tomcat 7.0.70 without enabling the SSLv2Hello protocol.
Thanks for the help about removing the need to use SSLv2Hello. /Magnus On 2016-09-28 08:20, Persson, Magnus (SE-TLX) wrote: > Hi Chris, > > The java servlet (in webapps folder) was written by a consultant and I > have only looked at parts of the source code and don't know all that it > does. > > The purpose is to give external integrators a way in to our software > through a REST API. > We have made a reference client in python that connects, creates a > session and can send POST, GET, DELETE, etc. > > This sample client will get this 'hello' ssl error with tomcat versions > greater than 7.0.68. > I have also tested a client in c++ that uses the POCO library. Same > hello error. > > Since we have only specified the TLSv1.x protocols in the tomcat config > I assume the initial hello request is encapsulated in an SSL2 frame by > one of the TLSv1.x protocols. > The purpose of adding TLSv2Hello was to allow this initial hello request. > > If the problem is the java servlet I'd like to correct it to not > encapsulate the hello request in an SSLv2/SSLv3 frame. Could this be the > problem or is it in the calling client? > > /Magnus > > On 2016-09-27 23:07, Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Magnus, >> >> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote: >>> We started out with tomcat 7.0.35 and got that running with our >>> REST servlet. >>> >>> When we upgraded to tomcat 7.0.63 we got this error when we tried >>> to create a new session: >>> >>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL >>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" } >> This is an error message from OpenSSL. Is this the client that is >> choking, or the server? >> >>> Through Google we found out that we needed to add "SSLv2Hello" to >>> the enabled protocols so we changed our connector in server.xml >>> like this (only added SSLv2Hello): >>> >>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" >>> maxThreads="150" scheme="https" secure="true" >>> keystoreFile="${catalina.base}/conf/keystore" keystorePass="*" >>> clientAuth="false" sslProtocol="TLS" >>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" >>> URIEncoding="UTF-8" /> >>> >>> We upgraded to tomcat 7.0.68 and it works fine with above connector >>> in server.xml >> Do you absolutely need to accept SSLv2Hello-formatted handshakes? Most >> of the web has abandoned SSLv3 and below at this point, so SSLv2Hello >> should no longer be necessary. >> >>> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even >>> though we have SSLv2Hello in the enabled protocols: >>> >>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL >>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" } >>> >>> What do we need to change in the server.xml file to bypass the ssl3 >>> error this time? >> That depends upon where you are actually getting that error. >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJX6t91AAoJEBzwKT+lPKRY43sP/ifrnLyy+DMjCYPcyLN3TnMQ >> Lym9MvabvQmBOeq7+513h9Bpo6qKrr2cAzRIeWT1fOmr+b+jULjnpwh+iFEHvn7B >> 2lhPUv0afrUyjtb8aCNqOvCCmC2qrv8mbHfQvZwVOaI6LXImu4w7Xdg9TumMx6uo >> qTNMcU58x9vEnvG56ufIVUBewQlb0HOXs7PzsPEFYNp0G3nQ6iIh5MCIByYUwKbz >> f/2I4t2mcHVCz1kKtQd1nLC3xen/fa2MhXpzBqOcdr3jAEs8LU3mqohqrou1vX3a >> iPKpo3pNfMRrq3PRm+agh/M4r88dFy46kaHUnFLKfqhXxqSv9uxdUMWU+7vf7jn1 >> PWIs4WZmu0Ub+oIkHFkuHH0+BpwSIHtlRMrvnMZ6mgFOw9QTKltxE1eCtcKcBGN1 >> eGIbH5rD2O1pIg8yKYpoyLkh/nEL6C+nXoX790sNu9bl2mr6YQzkkjx9D0o+CVzw >> fGs1s1+ALKRyJVXOubs8Ax/I6jIc9FzMYuWuHI+TGyysr4nxVViHi1abUdkXLhZ7 >> eSwprviAlGsAsxMb5l4JjR09xCl0PoSqs8MZ4TIrczLnTTMGTd8NdlyI9I3sVUA+ >> 4gsjp0BBqjCMb0cmpC/D8es127AbG4TrwHo5rdE/f172dCx2ib+P1ERqp2V0pRcb >> Xl8RIedkqiBvwpzihW2f >> =9GVJ >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> >> ---------------------------------------------------------------------------------------------- >> This E-mail is PLAIN text, not support HTML, see instruction below on how to >> report SPAM. >> ----------------------------------------------------------------------------------------------- >> To submit spam as an attachment to an email message using a mail client: >> 1. Open a new email message. >> 2. Drag the spam email from the Inbox into the new email message. >> 3. Enter a...@websense.com in the To field. >> 4. Click Send. >> -----------------------------------------------------------------------------------------------