tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51477] New: Fix for 51073 Breaks SSLv3+TLSv1 Protocol Support in APR Connector
Date Tue, 05 Jul 2011 16:53:25 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51477

             Bug #: 51477
           Summary: Fix for 51073 Breaks SSLv3+TLSv1 Protocol Support in
                    APR Connector
           Product: Tomcat 7
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: marvin.addison@gmail.com
    Classification: Unclassified


We have used SSLProtocol="SSLv3+TLSv1" with the APR connectors in 6.0.x and
7.0.x successfully to support both SSLv3 and TLSv1 protocols exclusively (no
SSLv2 support).  The following openssl s_client connection tests demonstrate
this functionality with 7.0.8:

$ openssl s_client -connect eiger.middleware.vt.edu:443 -tls1
CONNECTED(00000003)
...
SSL handshake has read 6158 bytes and written 293 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
...

$ openssl s_client -connect eiger.middleware.vt.edu:443 -ssl3
CONNECTED(00000003)
...
SSL handshake has read 6027 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
...

$ openssl s_client -connect eiger.middleware.vt.edu:443 -ssl2
15389:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method
passed:ssl_lib.c:1453:

Upon upgrading to Tomcat 7.0.16, which includes the fix for
https://issues.apache.org/bugzilla/show_bug.cgi?id=51073, our desired protocol
combination fails with the expected "unsupported protocol" message. 
Unfortunately, none of the officially supported strings mentioned at
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support provide
the desired protocol support.  In particular the protocol values are exclusive,
where setting SSLProtocol="SSLv3" prevents TLSv1 connections and vice versa. 
The following s_client tests confirm this behavior:

(7.0.16 with SSLProtocol="SSLv3")
$ openssl s_client -connect eiger.middleware.vt.edu:443 -tls1
CONNECTED(00000003)
15696:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:293:

$ openssl s_client -connect eiger.middleware.vt.edu:443 -ssl3
CONNECTED(00000003)
...
SSL handshake has read 6027 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
...


(7.0.16 with SSLProtocol="TLSv1")
$ openssl s_client -connect eiger.middleware.vt.edu:443 -tls1
CONNECTED(00000003)
...
SSL handshake has read 6158 bytes and written 293 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
...

$ openssl s_client -connect eiger.middleware.vt.edu:443 -ssl3
CONNECTED(00000003)
15816:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1102:SSL alert number 40
15816:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:539:

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message