Hi Kobe;=20
=20
I can see why it looks like the server is sending the message, but I =
think there's some reference that's being missed. The SSL debug should =
show Client messages and Server messages.=20
=20
One thing that's certain, the SSLv2 ClientHello is a client message sent =
by the client. This message is never sent by the server.=20
=20
On a separate note, the APR is very strict about enforcing TLSv1. When =
it's configured for TLSv1, it immediately terminates the connection if =
it receives any SSLv2 ClientHello or SSLv3 Client Hello. If you have a =
server with an active APR that's accepting the SSLv2 (or SSLv3) =
ClientHello, then the value of SSLProtocol is "all' (default), "SSLv2", =
"SSLv3", or "SSLv2+SSLv3".=20
=20
Regards,=20
Steve
________________________________
From: users-return-229208-STEVEN.J.ADAMUS=3Dsaic.com@tomcat.apache.org =
on behalf of Kobe
Sent: Tue 11/8/2011 10:20 PM
To: users@tomcat.apache.org
Subject: Re: SSL connect to APR fails - "bad version"
thank you Chris. I know the server (APR) is sending SSLv2 ClientHello =
because
ssl debugs show it:
// from ${CATALINA_HOME}/bin/setenv.sh:
export JAVA_OPTS=3D"... -Djavax.net.debug=3Dssl"
//...
# sh ${CATALINA_HOME}/bin/startup.sh
// from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
// from ${CATALINA_HOME}/logs/catalina.out
...
sending SSLv2 ClientHello <<---- server issues only SSLv2
ClientHello
But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.
many tahnks.
/Kobe
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kobe,
>
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>>
>> if I use tls1, I get same error as before ("bad version").
>>
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>>
>>
>> if ((version>>8) !=3D SSL3_VERSION_MAJOR) {
>>
>> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
>> err; }
>>
>>
>>
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
>
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
>
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
>
> Why do you think you are getting an SSLv2 reply?
>
>> how do i find this misconfigurn?
>
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/>=20
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
> tZQAnial2UmsG5FSBSkSclenImxf5YR+
> =3DvgDW
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: =
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp3278=
8669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|