tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kobe <...@mailcity.com>
Subject Re: SSL connect to APR fails - "bad version"
Date Tue, 08 Nov 2011 22:01:55 GMT

thank for your help. here is more info on my setup: tomcat version 6.0.29.
And tomcat is startin clean; no ererors while loading.

if I use tls1, I get same error as before ("bad version").

when i test with openssl s_client, I check line 293 of s3_pkt.c. it say -->


            if ((version>>8) != SSL3_VERSION_MAJOR)
                        {
                       
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
                        goto err;
                        }



so client is wanting ssl version 3. But i have same error with browser. i
donot/cannot find what
version browser wants - i Think it is 3.


Konstantin Kolinko wrote:
> 
> 2011/11/6 Kobe <rk_@mailcity.com>:
>>
>> I build tcnative and apr from src with exist ver of openssl (means
>> openssl
>> not
>> build my me). I load apr connector in tomcat as below.
>>
>> when my client connect, I cannot connect: i get "bad version".
>> please explain what I do wrong?
>>
>>
>> server# ./apr-1-config  --version
>> 1.4.5
>> server#
>> server# openssl version
>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>> server#
>>
>>  /// APR Connector Configuration in Tomcat6
>>  <Connector port="443"
>>    protocol="org.apache.coyote.http11.Http11AprProtocol"
>>    enableLookups="false" disableUploadTimeout="true"
>>    acceptCount="100" scheme="https" secure="true"
>>    SSLCertificateFile="server_certificate.pem"
>>    SSLCertificateChainFile="cachain.pem"
>>    SSLCertificateKeyFile="server.key"
>>  />
>>
>>
>> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
> 
>> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
> 
> And what happens with
> $ openssl s_client -connect server.xxx.net:443 -debug -tls1
> ?
> 
> What is on line 293 in s3_pkt.c in the version of openssl the client
> side of the connection is using?
> 
> I quick guess that client&server cannot negotiate protocol version.
> There are some options on <Connector> that might be used to configure
> protocols & ciphers that are supported.
> 
> Note that
> - There were several security fixes in OpenSSL since that version that
> you are using.
> - You may try googling for your error message. It is mentioned a lot of
> times.
> - You are not mentioning what version of Tomcat x.y.z you are using.
> - There might be some messages in Tomcat log files. Does Tomcat start
> up cleanly?
> 
> Re: Andre's question:
> That is openssl in command-line client mode, as a test whether it can
> connect to the server.
> 
> Best regards,
> Konstantin Kolinko
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805993.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message