tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
Subject Re: Issue while using SSL with Embedded Tomcat 6.0.37
Date Thu, 10 Oct 2013 21:23:48 GMT
Chris,

On 10.10.2013 19:11, Christopher Schultz wrote:
> Also, Chirag has the connector supporting only "TLS", so SSLv2 HELLO
> should indeally fail entirely.

Setting attribute sslProtocol="TLS" may actually enable all protocols 
from SSLv3 to TLSv1.2, plus SSLv2Hello. Even setting something like 
sslProtocol="TLSv1.1" would enable the same group of protocols. Tomcat 
docs clearly warns about that behavior (HTTP connector):

"sslProtocol - The the SSL protocol(s) to use (a single value may enable 
multiple protocols - see the JVM documentation for details)."


> If you really only want to use TLS but support SSLv2 HELLOs, it's not
> entirely clear to me what setting you want here (sslEnabledProtocols),
> with sslProtocol, etc. I suspect what you want is this:
>
> sslProtocol="TLS" sslEnabledProtocols="TLS, SSLv2Hello"
>
> Chirag, give that a try and see if your problems are solved.

That is not valid configuration. TLS is not legal value for attribute 
sslEnabledProtocols, and it will be ignored. SSLv2Hello is not legal 
without any other secure protocol so JSSE will throw an exception. 
Something like

   sslProtocol="TLS"
   sslEnabledProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"

would be valid config for what you propose.

It would also help to track down the cause of the problem, if Chirag 
sends handshake logs of failing and successful handshake.

Also, a bit of a brainstorming now: could this whole thing be IP 
protocol issue? I've seen similar behavior before, albeit not in context 
of SSL handshake: client tries to connect using IPv6 address, but 
firewall doesn't allow it, so client falls back to IPv4 and successfully 
connects.

-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message