thank for your help. here is more info on my setup: tomcat version 6.0.29. And tomcat is startin clean; no ererors while loading.
if I use tls1, I get same error as before ("bad version"). when i test with openssl s_client, I check line 293 of s3_pkt.c. it say --> if ((version>>8) != SSL3_VERSION_MAJOR) { SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto err; } so client is wanting ssl version 3. But i have same error with browser. i donot/cannot find what version browser wants - i Think it is 3. Konstantin Kolinko wrote: > > 2011/11/6 Kobe <r...@mailcity.com>: >> >> I build tcnative and apr from src with exist ver of openssl (means >> openssl >> not >> build my me). I load apr connector in tomcat as below. >> >> when my client connect, I cannot connect: i get "bad version". >> please explain what I do wrong? >> >> >> server# ./apr-1-config --version >> 1.4.5 >> server# >> server# openssl version >> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 >> server# >> >> /// APR Connector Configuration in Tomcat6 >> <Connector port="443" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" >> SSLCertificateFile="server_certificate.pem" >> SSLCertificateChainFile="cachain.pem" >> SSLCertificateKeyFile="server.key" >> /> >> >> >> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 > >> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: > > And what happens with > $ openssl s_client -connect server.xxx.net:443 -debug -tls1 > ? > > What is on line 293 in s3_pkt.c in the version of openssl the client > side of the connection is using? > > I quick guess that client&server cannot negotiate protocol version. > There are some options on <Connector> that might be used to configure > protocols & ciphers that are supported. > > Note that > - There were several security fixes in OpenSSL since that version that > you are using. > - You may try googling for your error message. It is mentioned a lot of > times. > - You are not mentioning what version of Tomcat x.y.z you are using. > - There might be some messages in Tomcat log files. Does Tomcat start > up cleanly? > > Re: Andre's question: > That is openssl in command-line client mode, as a test whether it can > connect to the server. > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805993.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org