tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adamus, Steven J." <STEVEN.J.ADA...@saic.com>
Subject RE: SSL connect to APR fails - "bad version"
Date Wed, 09 Nov 2011 07:05:44 GMT
Hi Kobe; 
 
I can see why it looks like the server is sending the message, but I think there's some reference
that's being missed.  The SSL debug should show Client messages and Server messages. 
 
One thing that's certain, the SSLv2 ClientHello is a client message sent by the client.  This
message is never sent by the server. 
 
On a separate note, the APR is very strict about enforcing TLSv1.  When it's configured for
TLSv1, it immediately terminates the connection if it receives any SSLv2 ClientHello or SSLv3
Client Hello.  If you have a server with an active APR that's accepting the SSLv2 (or SSLv3)
ClientHello, then the value of SSLProtocol is "all' (default), "SSLv2", "SSLv3", or "SSLv2+SSLv3".

 
Regards, 
Steve

________________________________

From: users-return-229208-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org on behalf of Kobe
Sent: Tue 11/8/2011 10:20 PM
To: users@tomcat.apache.org
Subject: Re: SSL connect to APR fails - "bad version"




thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:


     // from ${CATALINA_HOME}/bin/setenv.sh:
     export JAVA_OPTS="... -Djavax.net.debug=ssl"
     //...

   # sh ${CATALINA_HOME}/bin/startup.sh

   // from client
    $ openssl s_client -connect server.xxx.net:443 -debug -ssl3

   // from ${CATALINA_HOME}/logs/catalina.out
   ...
   sending SSLv2 ClientHello       <<----   server issues only SSLv2
ClientHello


But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.

many tahnks.

/Kobe


Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kobe,
>
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>>
>> if I use tls1, I get same error as before ("bad version").
>>
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>>
>>
>> if ((version>>8) != SSL3_VERSION_MAJOR) {
>>
>> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
>> err; }
>>
>>
>>
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
>
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
>
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
>
> Why do you think you are getting an SSLv2 reply?
>
>> how do i find this misconfigurn?
>
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/> 
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
> tZQAnial2UmsG5FSBSkSclenImxf5YR+
> =vgDW
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>

--
View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message