tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
Subject [OT] Tomcat upgrade 7.0.35 -> 7.0.37, SSL/TLS handshake failure
Date Wed, 20 Feb 2013 23:19:19 GMT
Hi,

I just wanted to report a problem with JSSE TLS/SSL handshake that 
became obvious only after I upgraded Tomcat from 7.0.35 to 7.0.37.

Server: Tomcat 7.0.37, BIO Connector, Oracle JDK 1.7.0_xx (e.g. _09)
Client: Java TLS/SSL client, e.g. [1], Oracle JDK 1.6.0_xx (e.g. _35)

Exception is:

   javax.net.ssl.SSLHandshakeException: Received fatal alert: 
handshake_failure

Full stack trace is available at the end of the message.

The reason for this seems to be removal of SSLv2Hello pseudo protocol 
from list of active protocols in Java 7 [2]. Therefore, Java 6 (client) 
will try to connect using SSLv2Hello, but the server won't be able to 
respond, as the Oracle documents partly describe [3]:

   "If SSLv2Hello is disabled on the server, then all incoming messages 
must conform to the SSLv3/TLSv1 client hello format."

The solution for the problem is either:

   (1) Disable SSLv2Hello on Java 6 client (e.g. 
-Dhttps.protocols="TLSv1,SSLv3") or
   (2) Enable SSLv2Hello on Java 7 server (e.g. add 
sslEnabledProtocols="TLSv1,SSLv3,SSLv2Hello" to JSSE connector 
configuration in server.xml).

(Not both!)

Now, I don't think it has anything to do with Tomcat, but I believe that 
other people who upgrade to 7.0.37 may stumble upon the same issue, if 
they use Oracle JDK 7 on the server and Oracle JDK 6 on the Java client. 
There is useful post on Stackoverflow [4].

Why is TLS/SSL handshake successful with Tomcat 7.0.35, and not with 
7.0.37? I don't know. Maybe it is related to bug 54406 [5].

-Ognjen



[1] http://www.mkyong.com/java/java-https-client-httpsurlconnection-example/
[2] 
http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html
[3] 
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
[4] 
http://stackoverflow.com/questions/2159586/jsse-handshake-failure-on-public-https-web-site
[5] https://issues.apache.org/bugzilla/show_bug.cgi?id=54406

Full stack trace
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: 
handshake_failure
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
	at 
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
	at 
org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191)
	at 
org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:94)
	... 20 more

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message