tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat 7 with APR connector: connection fails when client uses SSLv2Hello
Date Fri, 12 Dec 2014 19:29:25 GMT
Hash: SHA256


On 12/12/14 1:09 PM, Sacilowski, Tadeusz wrote:
> I was using SSLProtocol="TLSv1" explicitly. However, when I
> switched to "all" the health monitor kicked back in. Interestingly
> though, I decided to switch it back to my original APR
> configuration (the one that was giving me issues with the health
> monitor in the first place) and the monitor continued to work. Not
> sure why it's working now but I'm leaving my APR connector with
> SSLProtocol="all" since that's what seemed to resolve my issue.

Assuming that you have OpenSSL 1.0+, you'll want to be able to support
TLSv1, TLSv1.1, and TLSv1.2, though I suppose if it's just for
communication between your load-balancer and your Tomcat nodes, it's
probably not critical that you be able to support the very latest in
TLS protocol.

Good luck,
- -chris

> On Thu, Dec 11, 2014 at 5:02 PM, Christopher Schultz < 
>> wrote:
> Tadeusz,
> On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote:
>>>> I'm in the process of upgrading our Tomcat servers to Tomcat
>>>> 7 (7.0.57). I'm also trying to use the APR connector
>>>> (TC-Native 1.1.32) for SSL. The servers sit behind an F5 load
>>>> balancer (LTM 10.2.1) that uses an HTTP health monitor to
>>>> mark nodes up/down.
>>>> Prior to updating to the APR connector, I was using NIO,
>>>> with SSLv3 disabled, and the health monitor worked properly:
>>>> sslProtocol="TLS" 
>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>>>> The SSLv2Hello is necessary, as the F5 health monitor uses
>>>> this and there's apparently no way to force TLS with the
>>>> version that we're on (when I don't explicitly include it,
>>>> the health monitor fails). There are also possibly some
>>>> legacy applications that would be using the pseudo-protocol
>>>> as well.
>>>> When trying to use the APR connector (with SSLv3 being
>>>> disabled), the health monitor fails to connect. Some
>>>> troubleshooting with OpenSSL (0.9.8x) indicated that I need
>>>> to force a connection with "-tls1" in order for it to connect
>>>> (see my post at stackoverflow:
>>>> I'm assuming the issue is because SSLv2Hello is disabled with
>>>> the APR connector... is there any way to explicitly enable
>>>> is, as I do in the NIO connector?
> What does your APR connector configuration look like? From your SO 
> post it looks like you have "TLSv1" only. What if you try "all"
> (the default)? This will include only TLS protocols when using
> Tomcat 7.0.57 or later with tcnative 1.1.32 or later (and not SSL)
> but it looks like OpenSSL might use SSLv2hello when there is more
> than one protocol supported.
> Your other option is to simply re-enable SSLv3 on the Tomcat
> server and use your firewall to prevent anyone from connecting
> except for your load-balancer (which, presumably, you trust). SSLv3
> is only risky when you don't trust your clients.
> -chris
>> ---------------------------------------------------------------------
To unsubscribe, e-mail:
>> For additional commands, e-mail:
Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message