tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 7 with APR connector: connection fails when client uses SSLv2Hello
Date Fri, 12 Dec 2014 19:29:25 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tadeusz,

On 12/12/14 1:09 PM, Sacilowski, Tadeusz wrote:
> I was using SSLProtocol="TLSv1" explicitly. However, when I
> switched to "all" the health monitor kicked back in. Interestingly
> though, I decided to switch it back to my original APR
> configuration (the one that was giving me issues with the health
> monitor in the first place) and the monitor continued to work. Not
> sure why it's working now but I'm leaving my APR connector with
> SSLProtocol="all" since that's what seemed to resolve my issue.

Assuming that you have OpenSSL 1.0+, you'll want to be able to support
TLSv1, TLSv1.1, and TLSv1.2, though I suppose if it's just for
communication between your load-balancer and your Tomcat nodes, it's
probably not critical that you be able to support the very latest in
TLS protocol.

Good luck,
- -chris

> On Thu, Dec 11, 2014 at 5:02 PM, Christopher Schultz < 
> chris@christopherschultz.net> wrote:
> 
> Tadeusz,
> 
> On 12/11/14 2:15 PM, Sacilowski, Tadeusz wrote:
>>>> I'm in the process of upgrading our Tomcat servers to Tomcat
>>>> 7 (7.0.57). I'm also trying to use the APR connector
>>>> (TC-Native 1.1.32) for SSL. The servers sit behind an F5 load
>>>> balancer (LTM 10.2.1) that uses an HTTP health monitor to
>>>> mark nodes up/down.
>>>> 
>>>> Prior to updating to the APR connector, I was using NIO,
>>>> with SSLv3 disabled, and the health monitor worked properly:
>>>> 
>>>> sslProtocol="TLS" 
>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>>>> 
>>>> The SSLv2Hello is necessary, as the F5 health monitor uses
>>>> this and there's apparently no way to force TLS with the
>>>> version that we're on (when I don't explicitly include it,
>>>> the health monitor fails). There are also possibly some
>>>> legacy applications that would be using the pseudo-protocol
>>>> as well.
>>>> 
>>>> When trying to use the APR connector (with SSLv3 being
>>>> disabled), the health monitor fails to connect. Some
>>>> troubleshooting with OpenSSL (0.9.8x) indicated that I need
>>>> to force a connection with "-tls1" in order for it to connect
>>>> (see my post at stackoverflow:
>>>> 
> http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403
>>>>
>>>>
>
> 
).
>>>> 
>>>> I'm assuming the issue is because SSLv2Hello is disabled with
>>>> the APR connector... is there any way to explicitly enable
>>>> is, as I do in the NIO connector?
> 
> What does your APR connector configuration look like? From your SO 
> post it looks like you have "TLSv1" only. What if you try "all"
> (the default)? This will include only TLS protocols when using
> Tomcat 7.0.57 or later with tcnative 1.1.32 or later (and not SSL)
> but it looks like OpenSSL might use SSLv2hello when there is more
> than one protocol supported.
> 
> Your other option is to simply re-enable SSLv3 on the Tomcat
> server and use your firewall to prevent anyone from connecting
> except for your load-balancer (which, presumably, you trust). SSLv3
> is only risky when you don't trust your clients.
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUi0IVAAoJEBzwKT+lPKRYw0YP/RT4OS7qTq0W3inkfem8ELyU
XIkUrmSpiK4EbSmEskXXH6I9bJUkj8momfMbsEVBncKPMHD2FT98+Atw/tQfKGtN
QmzDsqgSdcY5L2XaZ5XHRHql3/QliTQRG5ykfc0cdE+YErtGcuehkgcr52cowXTc
hrqnHMJshXP8DPwkJA4HV6FUsO3icL22z+XBvqc8LCnoHNWBH5DIpV62Pn5XlSO3
lyrluagPMcEtWaEUNsc05oNtOYIYSO6Ll8KLjO/QNKty9o0TcP8v1cLaFMakWwS1
+ok8C2huaisHM4byg3o1WU9Qh21kUz/BoNu48l61nv7H4pDfeBDSxkIfglX5co53
QvxTIRpShn0N4S+lxtGfx5qydbsawE8OfyZIgNTeyHWw4Kahi1sy6NqdEwq63sZJ
2tejSyBNR08n9VCkX29zeks/zm+1TPM5KCssRqxyWHqDznRUfySUrB2oKlGVNKnn
FMaqHTJVaY6SwuGB0CiOBECEFT010XggBY7XgJ3Un/98yR/IV0OgsLSz7VYGAKob
wfsPnBNaBXyXlHCumEq1M4MhOv/3M3LVtw+z6PNJ/+dCOW+19PQGddXpHhpPowvL
XwATOrPxRhE+lFrbccteqatDH/rpJomtRT5xHruJnEtXUL2H+ZaHljrWhwk3VryL
kqrm5Onk60QFsAvmg6td
=6SEw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message