tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: Problems w/ TLS (record-splitting)
Date Tue, 10 Apr 2012 22:37:06 GMT
2012/4/10 Gregor S. <>:
> Hi guys,
> I know, it's actually not a Tomcat-problem, but I was wondering if one
> of those guru hanging around in this mailing-list could give me a hint
> on how to handle this problem.
> As some of you might be aware, Firefox (from on version 9.x) cannot
> handle TLS-records which are served from a server if they are split
> into multiple parts.
> This behaviour is documented here:
> Since some of our clients are using Firefox, I just can't lean back
> and tell them "well, that's a Firefox-bug, get a decent browser" -
> unfortunately.
> We are using Apache Tomcat 6.0.24 on Scientific Linux release 6.2
> (Carbon), Tomcat is running as a demon via jsvc, and Tomcat is using
> the Apache Portable Runtime (APR).
> I went through all docs I could find on the net, hoping, there was
> some screw I could turn to switch off TLS record splitting on the
> server side, but I couldn't find anything.
> Our scenario is as follows:
> - SSL connection
> - user is prompted for ID / password via FormLogin (j_security_check)
> And then we get the message
> "The connection was reset"
> "The connection to the server was reset while the page was loading."
> Does any of you guys have an idea, if there is any Tomcat
> configuration-parameter I could try to overcome this behaviour?
> IE Chrome (both all versions) are working like charm.

1. Reading [1] especially Comment 7 it does not looks like browser problem.

It says it is because browser is not sending all data in one big
packet, but is sending some small portion first. Am I missing

2. Comment 37 shows some web application coding patterns that lead to
observing this error.

Does this happen with some specific web application / some specific
pages? (So there is some specific error there), or "standard"
applications fail as well?

3. I think you should consider updating to a more recent version of
Tomcat 6, as well as of Tomcat-Native and OpenSSL (and maybe APR as


BTW, that issue [1] and ms12-006 referenced in it [2] discuss TLS 1.1 and 1.2.


Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message