Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AF85D7553 for ; Wed, 9 Nov 2011 07:06:30 +0000 (UTC) Received: (qmail 72848 invoked by uid 500); 9 Nov 2011 07:06:26 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 72692 invoked by uid 500); 9 Nov 2011 07:06:25 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 72682 invoked by uid 99); 9 Nov 2011 07:06:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2011 07:06:23 +0000 X-ASF-Spam-Status: No, hits=3.4 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS,URIBL_BLACK X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [139.121.17.160] (HELO cpmx.mail.saic.com) (139.121.17.160) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2011 07:06:19 +0000 Received: from 0599-its-sbg03.saic.com ([139.121.20.253] [139.121.20.253]) by cpmx.mail.saic.com with ESMTP id BT-MMP-21845588 for users@tomcat.apache.org; Tue, 8 Nov 2011 23:05:44 -0800 X-AuditID: 8b79132a-b7bd6ae0000052f1-58-4eba26484c9a Received: from 0599-its-exbh01.us.saic.com (cpe-z7-si-srcnat.sw.saic.com [139.121.20.253]) by 0599-its-sbg03.saic.com (Symantec Brightmail Gateway) with SMTP id E4.E2.21233.8462ABE4; Tue, 8 Nov 2011 23:05:44 -0800 (PST) Received: from 0461-its-exmb01.us.saic.com ([10.8.67.21]) by 0599-its-exbh01.us.saic.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 8 Nov 2011 23:05:43 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CC9EAD.FF8604FA" Subject: RE: SSL connect to APR fails - "bad version" Date: Tue, 8 Nov 2011 23:05:44 -0800 Message-Id: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SSL connect to APR fails - "bad version" Thread-Index: Acyep8tyicjy2/UMQB+mRCYU4Q0f1AAA8Iyg References: <32788669.post@talk.nabble.com> <32805993.post@talk.nabble.com> <4EB9DBBE.4010802@christopherschultz.net> <32808893.post@talk.nabble.com> From: "Adamus, Steven J." To: "Tomcat Users List" , X-OriginalArrivalTime: 09 Nov 2011 07:05:43.0961 (UTC) FILETIME=[FF79E090:01CC9EAD] X-Brightmail-Tracker: AAAAAA== ------_=_NextPart_001_01CC9EAD.FF8604FA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Kobe;=20 =20 I can see why it looks like the server is sending the message, but I = think there's some reference that's being missed. The SSL debug should = show Client messages and Server messages.=20 =20 One thing that's certain, the SSLv2 ClientHello is a client message sent = by the client. This message is never sent by the server.=20 =20 On a separate note, the APR is very strict about enforcing TLSv1. When = it's configured for TLSv1, it immediately terminates the connection if = it receives any SSLv2 ClientHello or SSLv3 Client Hello. If you have a = server with an active APR that's accepting the SSLv2 (or SSLv3) = ClientHello, then the value of SSLProtocol is "all' (default), "SSLv2", = "SSLv3", or "SSLv2+SSLv3".=20 =20 Regards,=20 Steve ________________________________ From: users-return-229208-STEVEN.J.ADAMUS=3Dsaic.com@tomcat.apache.org = on behalf of Kobe Sent: Tue 11/8/2011 10:20 PM To: users@tomcat.apache.org Subject: Re: SSL connect to APR fails - "bad version" thank you Chris. I know the server (APR) is sending SSLv2 ClientHello = because ssl debugs show it: // from ${CATALINA_HOME}/bin/setenv.sh: export JAVA_OPTS=3D"... -Djavax.net.debug=3Dssl" //... # sh ${CATALINA_HOME}/bin/startup.sh // from client $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 // from ${CATALINA_HOME}/logs/catalina.out ... sending SSLv2 ClientHello <<---- server issues only SSLv2 ClientHello But same openssl version (FIPS) connects with SSLv3 on another machien. so I am thinking there is openssl misconfig on this server. many tahnks. /Kobe Christopher Schultz-2 wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Kobe, > > On 11/8/11 2:01 PM, Kobe wrote: >> thank for your help. here is more info on my setup: tomcat version >> 6.0.29. And tomcat is startin clean; no ererors while loading. >> >> if I use tls1, I get same error as before ("bad version"). >> >> when i test with openssl s_client, I check line 293 of s3_pkt.c. it >> say --> >> >> >> if ((version>>8) !=3D SSL3_VERSION_MAJOR) { >> >> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto >> err; } >> >> >> >> so client is wanting ssl version 3. But i have same error with >> browser. i donot/cannot find what version browser wants - i Think >> it is 3. > > Your web browser likely has SSL 2.0 disabled entirely. You should > check which types of SSL/TLS are enabled. > >> So I am thinking, there is misconfigure on this server. i would >> like to find why this server respond with SSLv2 ClientHello instead >> of SSLv3 ClientHello. > > Why do you think you are getting an SSLv2 reply? > >> how do i find this misconfigurn? > > Are you using the same version of openssl as the "client" as you are > using withing Tomcat? I wonder if the FIPS mode is tripping you up. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org =20 > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y > tZQAnial2UmsG5FSBSkSclenImxf5YR+ > =3DvgDW > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > -- View this message in context: = http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp3278= 8669p32808893.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org ------_=_NextPart_001_01CC9EAD.FF8604FA--