tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Issue while using SSL with Embedded Tomcat 6.0.37
Date Fri, 11 Oct 2013 16:02:00 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ognjen,

On 10/10/13 5:23 PM, Ognjen Blagojevic wrote:
> Chris,
> 
> On 10.10.2013 19:11, Christopher Schultz wrote:
>> Also, Chirag has the connector supporting only "TLS", so SSLv2
>> HELLO should indeally fail entirely.
> 
> Setting attribute sslProtocol="TLS" may actually enable all
> protocols from SSLv3 to TLSv1.2, plus SSLv2Hello. Even setting
> something like sslProtocol="TLSv1.1" would enable the same group of
> protocols. Tomcat docs clearly warns about that behavior (HTTP
> connector):
> 
> "sslProtocol - The the SSL protocol(s) to use (a single value may
> enable multiple protocols - see the JVM documentation for
> details)."
> 
> 
>> If you really only want to use TLS but support SSLv2 HELLOs, it's
>> not entirely clear to me what setting you want here
>> (sslEnabledProtocols), with sslProtocol, etc. I suspect what you
>> want is this:
>> 
>> sslProtocol="TLS" sslEnabledProtocols="TLS, SSLv2Hello"
>> 
>> Chirag, give that a try and see if your problems are solved.
> 
> That is not valid configuration. TLS is not legal value for
> attribute sslEnabledProtocols, and it will be ignored. SSLv2Hello
> is not legal without any other secure protocol so JSSE will throw
> an exception. Something like
> 
> sslProtocol="TLS" 
> sslEnabledProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
> 
> would be valid config for what you propose.

Thanks for clearing that up. I've never used JSSE for SSL so I haven't
been through the ringer.

> It would also help to track down the cause of the problem, if
> Chirag sends handshake logs of failing and successful handshake.
> 
> Also, a bit of a brainstorming now: could this whole thing be IP 
> protocol issue? I've seen similar behavior before, albeit not in
> context of SSL handshake: client tries to connect using IPv6
> address, but firewall doesn't allow it, so client falls back to
> IPv4 and successfully connects.

I would expect that to happen during a single run of the client. Plus,
Chirag indicated that he can see the connection occur, then fail. So
it's not a firewall, IPv4/6 issue.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSWCD1AAoJEBzwKT+lPKRYvg0QAMMP8pQKsa+3T6U6stUYYviB
rOn4yBMaiCheHJJKxyRHeC0xwdbV2rahwG05UBKpm9RgufXmMWXBzS1ZQquFlLD/
wrqIF/gZvnxmno4w7xamq/nfxdnsj92iKlgxCIJSY9BPM9kaZBTC3tS0cKn3PBRT
+Cdnrsj8vhRZhqNCZA10Zn45RGtm5jzZY6U0P1K/9YW9qUDe+2GKiBBU+swoKGXy
sHaIC8cnHkxHW+W/sr1B7pr4md5s8IeYRIPMbAgJTRW92XZhIUd9BCMUsVgGqGtc
/cCpDsVNVfRhYrbLvIqyIISZClxZK7eA1dQwkZpWhMOFGqriibsni9TypB5Gnt/U
VS+SziZzIWGmLndrnIeHVhNPTVHQtgqw2MGUQNR1yjAIDJfWwvOc7AkDB1/BjwPc
j15m5pOwEnnA25P7tkjDjJyNrIbTz4RCDmT3A9gk4efLzsBVZ8t9LfObmvDAmAHL
gKo1zgKJJvBAQyi+BwRMPLWvyyTc6SqTcz9RXpR5PtQNMmcypzFpDKGo81WYb/1j
qPYYZyLYK14kk5qdwjgTXkwOcTp2zOy0iGc+binLfAJQvtxTLhQ/S3KSG/1e6LOT
zB52LgTaC1ipbvprxBO4FhVVeuBU/rgnvbrWcN6iNkyAaCBq2zdpffiAdyP8uOnY
6y0vLA1ZKmmZkcAXMXNx
=dgx+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message