tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <>
Subject Re: Issue while using SSL with Embedded Tomcat 6.0.37
Date Thu, 10 Oct 2013 08:11:48 GMT

On 10.10.2013 6:19, Chirag Dewan wrote:
> A small update. The customers client is C++ client,which uses OpenSSL. And I found that
client hello message is SSLv2 protocol. And the server response(server hello) is a TLSv1 protocol.
Is there something I am missing?

There is a difference in SSLv2 protocol and SSLv2Hello pseudo-protocol. 
SSLv2 is basically broken (although a lot of badly configured servers 
still support it).

SSLv3, and TLS protocol specifications allow that handshake happens in 
SSLv2 format, and then to immediately switch to SSLv3 or TLS. This is 
also known as SSLv2Hello pseudo-protocol. It is done for compatibility 
reasons, and it is considered relatively safe. It is what you are 
observing, and is perfectly normal.

In Tomcat you may specify which exact protocols to use, by setting 
"sslEnabledProtocols" attribute on HTTP connector (Tomcat 7/8 and Tomcat 
6.0.38+), or undocumented "protocols" attribute (versions prior to 
6.0.38). Those attributes may take one or more of the following values: 
SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello. Of course, it is 
recommended not to use "SSLv2", but you may use "SSLv2Hello" (among 
others), to ensure compatibility.

Note that aforementioned attributes are somehow related to attribute 
"sslProtocol", which, by itself selects a group of enabled protocols.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message