tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 7 with APR connector: connection fails when client uses SSLv2Hello
Date Thu, 11 Dec 2014 22:02:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tadeusz,

On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote:
> I'm in the process of upgrading our Tomcat servers to Tomcat 7
> (7.0.57). I'm also trying to use the APR connector (TC-Native
> 1.1.32) for SSL. The servers sit behind an F5 load balancer (LTM
> 10.2.1) that uses an HTTP health monitor to mark nodes up/down.
> 
> Prior to updating to the APR connector, I was using NIO, with
> SSLv3 disabled, and the health monitor worked properly:
> 
> sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
> 
> The SSLv2Hello is necessary, as the F5 health monitor uses this and
> there's apparently no way to force TLS with the version that we're
> on (when I don't explicitly include it, the health monitor fails).
> There are also possibly some legacy applications that would be
> using the pseudo-protocol as well.
> 
> When trying to use the APR connector (with SSLv3 being disabled),
> the health monitor fails to connect. Some troubleshooting with
> OpenSSL (0.9.8x) indicated that I need to force a connection with
> "-tls1" in order for it to connect (see my post at stackoverflow: 
> http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403
>
> 
).
> 
> I'm assuming the issue is because SSLv2Hello is disabled with the
> APR connector... is there any way to explicitly enable is, as I do
> in the NIO connector?

What does your APR connector configuration look like? From your SO
post it looks like you have "TLSv1" only. What if you try "all" (the
default)? This will include only TLS protocols when using Tomcat
7.0.57 or later with tcnative 1.1.32 or later (and not SSL) but it
looks like OpenSSL might use SSLv2hello when there is more than one
protocol supported.

Your other option is to simply re-enable SSLv3 on the Tomcat server
and use your firewall to prevent anyone from connecting except for
your load-balancer (which, presumably, you trust). SSLv3 is only risky
when you don't trust your clients.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUihRjAAoJEBzwKT+lPKRYPXgP+wXY1FshX5CbS7MREsSCXW3L
JijWrldOTzN/jWEmmMOKEmJ1ff3SXjUPR2z5o5lTT5fGRBb190f4hOxWLqJke48d
1GJTmufQfYBGHZ/Bp43G/3WqwtsvqqznOUWzajcN/Vt+HWMbmRT3u5V/ApTAC+I/
uhzSjj07QvfU27pK/fFzgMZsN9InPoV5uibnUUhabu+6xtkk4gLYxi2LKRJjlM0j
HX7SQ0cnqpOxjqMDmQLVyaMLDI80e1XYGdtkEDnYYQQApe7eHHIyk9QrrEoNufpJ
VMuX/A7sX1f/kHvUQSey16YTBW/ujPFCjGG/j7Te32f4sHTE5eB1RdTdqpinlu5g
+2Ltm0t8tuczHsqogFB4+5M78jNcNCKBr3Gpq1CpxUdib3gmsTg9PRVOCIYQ6AiB
WtDfxIdIO4FV2fTyDTlk3jAx1SdwCe8ELmnjXd8wOzvWPDH4HbjLFu96oFcqjWsK
DB3psjBGTMzeVnAct46N7CZwLCFhziEaPyA+nBKdMCVQineVNxozT9h6fB5pykJ3
5AxlJa756fdi/zm5CDKDKWsTP/OeFllUA82rFeJX3ugjsBt+crKIToI1d8oDuglA
7aYVdvgiMKemutAaY4S4QTREdtbCtKjYgbKr0Ur9s88iKPVQ1IANawiUDLsSWT5n
aJw4LYHfurebFe+vOwez
=sz1Q
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message