-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Magnus,
On 9/28/16 2:20 AM, Persson, Magnus (SE-TLX) wrote:
> The java servlet (in webapps folder) was written by a consultant
> and I have only looked at parts of the source code and don't know
> all that it does.
>
> The purpose is to give external integrators a way in to our
> software through a REST API. We have made a reference client in
> python that connects, creates a session and can send POST, GET,
> DELETE, etc.
Understood. The implementation of the servlet is largely irrelevant,
since Tomcat is handling the TLS configuration.
> This sample client will get this 'hello' ssl error with tomcat
> versions greater than 7.0.68. I have also tested a client in c++
> that uses the POCO library. Same hello error.
So you are using a C++ client using POCO. It looks like POCO is using
OpenSSL under the hood.
> Since we have only specified the TLSv1.x protocols in the tomcat
> config I assume the initial hello request is encapsulated in an
> SSL2 frame by one of the TLSv1.x protocols.
That's not the exact mechanics, but it's close enough. The problem is
that the TLS handshake is not compatible with the SSLv2Hello-based
one. So if the server supports only TLS and the client is expecting to
be able to initiate an SSLv2Hello, then the client will get an error.
> The purpose of adding TLSv2Hello was to allow this initial hello
> request.
Understood.
> If the problem is the java servlet I'd like to correct it to not
> encapsulate the hello request in an SSLv2/SSLv3 frame. Could this
> be the problem or is it in the calling client?
You can't fix the client's behavior by modifying the server.
If you want to use only TLSv1 or later, then the best thing to do
would be to update the client to only use TLS and not use SSL at all.
On the other hand, SSLv2Hello *should* work from within Tomcat. With a
fresh Tomcat, if you add "SSLv2Hello" to the sslEnabledProtocols list,
can you make a connection from a client that supports TLSv1+ and uses
a SSLv2Hello handshake?
- -chris
> On 2016-09-27 23:07, Christopher Schultz wrote: Magnus,
>
> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>>>> We started out with tomcat 7.0.35 and got that running with
>>>> our REST servlet.
>>>>
>>>> When we upgraded to tomcat 7.0.63 we got this error when we
>>>> tried to create a new session:
>>>>
>>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>> failure" }
> This is an error message from OpenSSL. Is this the client that is
> choking, or the server?
>
>>>> Through Google we found out that we needed to add
>>>> "SSLv2Hello" to the enabled protocols so we changed our
>>>> connector in server.xml like this (only added SSLv2Hello):
>>>>
>>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>>> maxThreads="150" scheme="https" secure="true"
>>>> keystoreFile="${catalina.base}/conf/keystore"
>>>> keystorePass="*" clientAuth="false" sslProtocol="TLS"
>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>>>> URIEncoding="UTF-8" />
>>>>
>>>> We upgraded to tomcat 7.0.68 and it works fine with above
>>>> connector in server.xml
> Do you absolutely need to accept SSLv2Hello-formatted handshakes?
> Most of the web has abandoned SSLv3 and below at this point, so
> SSLv2Hello should no longer be necessary.
>
>>>> When we upgraded to tomcat 7.0.70 we got the sslv3 error
>>>> again even though we have SSLv2Hello in the enabled
>>>> protocols:
>>>>
>>>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>> failure" }
>>>>
>>>> What do we need to change in the server.xml file to bypass
>>>> the ssl3 error this time?
> That depends upon where you are actually getting that error.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
- -------------------------
>>
>>
This E-mail is PLAIN text, not support HTML, see instruction below on
how to report SPAM.
>> ---------------------------------------------------------------------
- --------------------------
>>
>>
To submit spam as an attachment to an email message using a mail client:
>> 1. Open a new email message. 2. Drag the spam email from the
>> Inbox into the new email message. 3. Enter a...@websense.com in
>> the To field. 4. Click Send.
>> ---------------------------------------------------------------------
- --------------------------
>
>>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJX6+ZVAAoJEBzwKT+lPKRYKWoP/1pgpqvnsSh1gT1jIYbPGPNs
uWMdmC4v1t/mlgC6bwz3GFyTpWlPQWGOIgX4bBbmP8ZSOMu9AjkWG6Jae5Mw2JAa
SKiWaNy11P8ChZa5F2V812koK8DEPDYIdr3ZTmZvvBfTxQ79Z/kMcHWTjODO9T2S
apltiMaNPO+nYR9PFwtNA7uM4ZodOfhlToies1B3MqoaneEx3UUcQpq0g8Bb9Kmj
n8fyKVLuTltGbDu7Sh6kGeia3hRhDJyyjsS8R85dA02jtmX6i+GiPJOaR4b7wXp1
MrQsN5LByUIeYpBIg8qbLC7+3qqydtVTtGmqDyRiRDNHhUAeG+7APq2lYoR1GVwG
qML9UVaJU69cXlA+NhsLPiGBefu3+U9WePoViu8VoLxQ9LTJFhrJSgq1U5nsrP62
YGnzl7DGYJXr3OWBc+SicyXrpSrjupYlofgM6f0zytQw0tFWD4SZfqjyjkYh+Oi9
KTZ3mZ6vx9CuvStPiKw7MWrrrXmc9fEoekBcrYY70cOwrlI1ZN+vIsUMrtRCwVHE
495UgvzBRNy/M32VtLRpf5PHr0K/DFRxETLwDMailaCSfD2LuWU4kTTRR7FUilO6
QkzL/v3mfA/a1BLSx4KiKSnSCPzzf1FaVvWQJt4c3NZdv26gDXkGuabnyFJ5XrXr
xAIXPFqW8Xf4gNApIKq6
=i4/b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
