-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Richard,
On 4/9/19 17:48, Richard Huntrods wrote: > I would like to 'do what's necessary' to remove the following > error. Google tells me it's related to my security implementation, > which is HTTPS by default. I am convinced the problem is in how I > invoke the port 443 connector in my server.xml. I've been running > this servlet on versions of Tomcat since 2001, and have kept my > Tomcat instances up to date. Most recently I started noticing this > in the logs, and am pretty sure it's because I've been copying the > connector code bit from server.xml to server.xml as I upgraded > versions of Tomcat. With a few exceptions, the <Connector /> configuration hasn't changed a lot since then. The TLS configuration changed recently to be more expressive and allow for more complex configurations, but the old syntax should still work in many cases. > I really suspect my connector is now out-of-date and could use > some guidance as to the best new form. I see in the recent > server.xml they use a different invocation, but don't know if this > is best... > > OS: Ubuntu 18.04 LTS Live server Tomcat: 8.5.39, installed from > tar.gz obtained from Tomcat. What is the Java version? > I've done this enough times to "get it right", so it's just this > Hello error I want to eradicate... :) > Here is the error message: > > 08-Apr-2019 01:00:23.477 SEVERE [https-jsse-nio-443-exec-9] > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > java.lang.UnsupportedOperationException: Unsupported SSL v2.0 > ClientHello at > java.base/sun.security.ssl.SSLEngineInputRecord.handleUnknownRecord(SS LEngineInputRecord.java:373) > > at > java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputR ecord.java:195) > > at > java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java :975) > > at > java.base/sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.j ava:902) > > at > java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:680 ) > > at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioC hannel.java:475) > > at > org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel .java:238) > > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi nt.java:1475) > > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase .java:49) > > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool Executor.java:1135) > > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo lExecutor.java:635) > > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr ead.java:61) > > at java.base/java.lang.Thread.run(Thread.java:844) > > My certificates are new and correct, and have run fine in past > versions of Tomcat without problems... > > THIS IS MY SERVER.XML - Most of it is identical to the server.xml > supplied with Tomcat 8.5.39 My changes are after the *** THIS IS > MY CONNECTOR ... *** comment. > > [snip] > > <!-- *** THIS IS MY CONNECTOR FOR PORT 443: COPIED FROM PAST > TOMCAT VERSIONS *** --> <Connector port="443" protocol="HTTP/1.1" > SSLEnabled="true" maxThreads="150" enableLookups="false" > scheme="https" secure="true" keystoreFile="./keys/.keystore" > keystorePass="password" clientAuth="false" sslProtocol="TLS" /> You should really read the new TLS configuration guide[1] and use <Connector> with a nested <SSLHostConfig> element. But there isn't anything in there that looks to be a problem to me. My guess is that you are using a very new Java which has dropped support the the SSLv2Hello psuedo-protocol. That's not actually an encryption protocol, but instead is a handshake protocol which allows some versions of TLS to be negotiated using an old-style SSHv2 "hello" handshake. If that's the problem then: 1. You shouldn't be able to start Tomcat or in fact make any connections. Or maybe it's just a warning that it's not supported and Java will throw the error and the client will re-connect using TLS like any modern system should. 2. You should be able to fix it by either specifying: <Connector ... sslEnabledProtocols="TLSv1.2" (and others if you want) or <Connector ... <SSLHostConfig protocols="TLSv1.2" (and others if you want) </Connector> Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlytKisACgkQHPApP6U8 pFjHKQ//VLcYjW68DB8UO4GI+pW850aXDqEsMBsT4PsjYW+y9JY3Sl2oHghOfy3J g1Qdi+CHPZfRnne5dNZt7Wh4jTnVyx6KLHu449pgijAAZ6t3sL3KEXzxfNd0n1MN vcbjNjkBGWd4AQPUE5QK8vir2jgTpwUjj0/mbB+MVNrQIkBV6vAvzkF32J7N/fwc yyarOlD0tR9K2xHWcCqNlNGhxxYqO2QmsTqbJGlthsco/RJ6YBpXC6Re4xqOj1pv iERSQEKL/cuAmPqJel8LMHqthH9d/W/2RXGX1eAgn1CLXF1xnkiGtrKBHBWTpF4g H0+4EpPm+VgLNzlnESzsGItiUt3v7+dlpyAVnNKH3yT8064J/MdbQ0iYMgk6KpVl PrETBnVF8Sxc7TiE5AzuA8d4UGVP/v153ydljItRcwMJe+qD8qNWgUev9IL6gwGV d2Xej5kc4GDBxyvdQWS13UqqGrsE//JG9UsZ+XfRL9LLgrFIlPQsdRWfWtFdUb1Z oiaVDk+9Yf0hhmo6lZy24FcMwbb/gNcVITYNUy3nK1g1v8saJx0AQOM9p9Yb8NaY +Pei36BSe8bqrrxhHe2yclWrio4mVP2pydLyBF+re1PHZXbYsZuf5tZn+HBZJRx9 3U8CJiOz6ZNhn1OYYA6H+po3IC6z8KXcxBBT1KdX6Q9kpfGa9Zs= =qSRp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org