tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Issue while using SSL with Embedded Tomcat 6.0.37
Date Thu, 10 Oct 2013 17:11:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ognjen,

On 10/10/13 4:11 AM, Ognjen Blagojevic wrote:
> On 10.10.2013 6:19, Chirag Dewan wrote:
>> A small update. The customers client is C++ client,which uses
>> OpenSSL. And I found that client hello message is SSLv2 protocol.
>> And the server response(server hello) is a TLSv1 protocol. Is
>> there something I am missing?
> 
> There is a difference in SSLv2 protocol and SSLv2Hello
> pseudo-protocol. SSLv2 is basically broken (although a lot of badly
> configured servers still support it).

+1

Also, Chirag has the connector supporting only "TLS", so SSLv2 HELLO
should indeally fail entirely.

> SSLv3, and TLS protocol specifications allow that handshake happens
> in SSLv2 format, and then to immediately switch to SSLv3 or TLS.
> This is also known as SSLv2Hello pseudo-protocol. It is done for
> compatibility reasons, and it is considered relatively safe. It is
> what you are observing, and is perfectly normal.

+1

OpenSSL (and others) are capable of making SSLv2 HELLO calls but then
not actually using SSLv2... this is the default in a lot of places
because old clients and servers still use SSLv2 HELLOs. It's a way to
get around the fact that SSLv2 has essentially been eradicated from
the planet but nobody wants connection errors "just in case".

> In Tomcat you may specify which exact protocols to use, by setting 
> "sslEnabledProtocols" attribute on HTTP connector (Tomcat 7/8 and
> Tomcat 6.0.38+), or undocumented "protocols" attribute (versions
> prior to 6.0.38). Those attributes may take one or more of the
> following values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2,
> SSLv2Hello. Of course, it is recommended not to use "SSLv2", but
> you may use "SSLv2Hello" (among others), to ensure compatibility.

If you really only want to use TLS but support SSLv2 HELLOs, it's not
entirely clear to me what setting you want here (sslEnabledProtocols),
with sslProtocol, etc. I suspect what you want is this:

sslProtocol="TLS" sslEnabledProtocols="TLS, SSLv2Hello"

Chirag, give that a try and see if your problems are solved.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSVt+uAAoJEBzwKT+lPKRYHDgP/jjgBDAQQ2/cd6qtDVCGLC5+
/KWHpdj22KkIkkAjV05iyM+aHwU4pLfPHW0GT5j5UD8cXq4pFQdDO+nifTaZvkc3
2PgiglRum5TfEX4aldXZ7TY7Ld3XwuajqNIPd1kOoEJwqMXRmb6EWR79DPbuKy5X
ok7pYYqrmpqe0UTrLM52SIBg+3eygkfFyY0I/m6/xdxdgsOrHjNF1k1P5A8geCNL
p5rSU8PR0b9imKA4vBov4Vc6rdysEEPIZxGmiZIuY8hS1WF+k6VLiggcegXfiieV
btoybYEsCOpCeatx5Z49byBW3aZeKoqIRc0G+hW+hMpPn4UP4DLlhlVbdG1K5kRR
boKu62S+QwWz8fKF8gEtH5AK1A5Y9bhLjd6UrTV1c9MWpP+tjxiqNby+X6DAGUhZ
uQkBJGymL3S4zIACLROyowyIB70hlDZHeflXqBlzg/TeiFE+U+h8ySSz35V2JcbF
Drk7UkeHzhVSGl9mNG5tgHrT8UziXD4kucPVLIbTU2bCvyDkc2eb5uQca+tV42zH
1tcRVAnA4ULzIyzspq0SHwdVNCHZeuwLL9TbLI268PwJtjUgSeCxOhMiWFysBahK
PnwyeliIzxJHQzO6d8zOlAsF3l1cJ7iwIJKbQiFgr95e7RPd3g86ZHtNoTCQWDsR
NHnhGB6C9UuNR5RqASsm
=EpYT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message