Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 99BA310D89 for ; Thu, 10 Oct 2013 17:11:42 +0000 (UTC) Received: (qmail 22508 invoked by uid 500); 10 Oct 2013 17:11:38 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 22283 invoked by uid 500); 10 Oct 2013 17:11:37 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 22244 invoked by uid 99); 10 Oct 2013 17:11:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Oct 2013 17:11:37 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [76.96.59.228] (HELO qmta15.westchester.pa.mail.comcast.net) (76.96.59.228) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Oct 2013 17:11:32 +0000 Received: from omta01.westchester.pa.mail.comcast.net ([76.96.62.11]) by qmta15.westchester.pa.mail.comcast.net with comcast id bPtT1m00D0EZKEL5FVBBPt; Thu, 10 Oct 2013 17:11:11 +0000 Received: from Christophers-MacBook-Pro.local ([69.143.106.98]) by omta01.westchester.pa.mail.comcast.net with comcast id bVBB1m00327QCxh3MVBB4C; Thu, 10 Oct 2013 17:11:11 +0000 Message-ID: <5256DFAF.5020903@christopherschultz.net> Date: Thu, 10 Oct 2013 13:11:11 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Issue while using SSL with Embedded Tomcat 6.0.37 References: <525578DD.3070601@christopherschultz.net> <1381334104.48875.YahooMailAndroidMobile@web190706.mail.sg3.yahoo.com> <1381378776.73352.YahooMailNeo@web190702.mail.sg3.yahoo.com> <52566144.6030208@gmail.com> In-Reply-To: <52566144.6030208@gmail.com> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1381425071; bh=TF/5NyEFxLlxBNDSw8RcN/9nOgNwMmVFUPCVdSYw8L4=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=DflbiYrtf/0AhXjeWB9Dz3LQB4y3KytjCozXMJRk23TOtOvIs8pnIW04Xvi6rVF5v T+KnAgClN2OqAxG90ZQSWSOF7Kcd+iR0AV6LQ9UWhSa8B9oYb+xAhk2OCFjQlCHPOf +Na0O2AD6jPiKo8gGcqBJ7HpEuBRlRVgojnyyllZwRK783DRzYR6lkXXmKzOzP+L4x WCrCQbNEzu+nrRGVed5mPV/cEscNnTkDMU6CHVcmHsebuOyB/KUY0sioGzuywCZwFC SzVq4Glji/qeOxYkm4s5KP/NdOV4J6BxvIDAEfn9fiMXAzYFshm97Rtd6pIh79+OwS mfovQ0DUkWGaQ== X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ognjen, On 10/10/13 4:11 AM, Ognjen Blagojevic wrote: > On 10.10.2013 6:19, Chirag Dewan wrote: >> A small update. The customers client is C++ client,which uses >> OpenSSL. And I found that client hello message is SSLv2 protocol. >> And the server response(server hello) is a TLSv1 protocol. Is >> there something I am missing? > > There is a difference in SSLv2 protocol and SSLv2Hello > pseudo-protocol. SSLv2 is basically broken (although a lot of badly > configured servers still support it). +1 Also, Chirag has the connector supporting only "TLS", so SSLv2 HELLO should indeally fail entirely. > SSLv3, and TLS protocol specifications allow that handshake happens > in SSLv2 format, and then to immediately switch to SSLv3 or TLS. > This is also known as SSLv2Hello pseudo-protocol. It is done for > compatibility reasons, and it is considered relatively safe. It is > what you are observing, and is perfectly normal. +1 OpenSSL (and others) are capable of making SSLv2 HELLO calls but then not actually using SSLv2... this is the default in a lot of places because old clients and servers still use SSLv2 HELLOs. It's a way to get around the fact that SSLv2 has essentially been eradicated from the planet but nobody wants connection errors "just in case". > In Tomcat you may specify which exact protocols to use, by setting > "sslEnabledProtocols" attribute on HTTP connector (Tomcat 7/8 and > Tomcat 6.0.38+), or undocumented "protocols" attribute (versions > prior to 6.0.38). Those attributes may take one or more of the > following values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, > SSLv2Hello. Of course, it is recommended not to use "SSLv2", but > you may use "SSLv2Hello" (among others), to ensure compatibility. If you really only want to use TLS but support SSLv2 HELLOs, it's not entirely clear to me what setting you want here (sslEnabledProtocols), with sslProtocol, etc. I suspect what you want is this: sslProtocol="TLS" sslEnabledProtocols="TLS, SSLv2Hello" Chirag, give that a try and see if your problems are solved. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVt+uAAoJEBzwKT+lPKRYHDgP/jjgBDAQQ2/cd6qtDVCGLC5+ /KWHpdj22KkIkkAjV05iyM+aHwU4pLfPHW0GT5j5UD8cXq4pFQdDO+nifTaZvkc3 2PgiglRum5TfEX4aldXZ7TY7Ld3XwuajqNIPd1kOoEJwqMXRmb6EWR79DPbuKy5X ok7pYYqrmpqe0UTrLM52SIBg+3eygkfFyY0I/m6/xdxdgsOrHjNF1k1P5A8geCNL p5rSU8PR0b9imKA4vBov4Vc6rdysEEPIZxGmiZIuY8hS1WF+k6VLiggcegXfiieV btoybYEsCOpCeatx5Z49byBW3aZeKoqIRc0G+hW+hMpPn4UP4DLlhlVbdG1K5kRR boKu62S+QwWz8fKF8gEtH5AK1A5Y9bhLjd6UrTV1c9MWpP+tjxiqNby+X6DAGUhZ uQkBJGymL3S4zIACLROyowyIB70hlDZHeflXqBlzg/TeiFE+U+h8ySSz35V2JcbF Drk7UkeHzhVSGl9mNG5tgHrT8UziXD4kucPVLIbTU2bCvyDkc2eb5uQca+tV42zH 1tcRVAnA4ULzIyzspq0SHwdVNCHZeuwLL9TbLI268PwJtjUgSeCxOhMiWFysBahK PnwyeliIzxJHQzO6d8zOlAsF3l1cJ7iwIJKbQiFgr95e7RPd3g86ZHtNoTCQWDsR NHnhGB6C9UuNR5RqASsm =EpYT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org