tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sacilowski, Tadeusz" <ts2...@tc.columbia.edu>
Subject Tomcat 7 with APR connector: connection fails when client uses SSLv2Hello
Date Thu, 11 Dec 2014 19:15:56 GMT
Hello,

I'm in the process of upgrading our Tomcat servers to Tomcat 7 (7.0.57).
I'm also trying to use the APR connector (TC-Native 1.1.32) for SSL. The
servers sit behind an F5 load balancer (LTM 10.2.1) that uses an HTTP
health monitor to mark nodes up/down.

Prior to updating to the APR connector, I was using NIO, with SSLv3
disabled, and the health monitor worked properly:

sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"

The SSLv2Hello is necessary, as the F5 health monitor uses this and there's
apparently no way to force TLS with the version that we're on (when I don't
explicitly include it, the health monitor fails). There are also possibly
some legacy applications that would be using the pseudo-protocol as well.

When trying to use the APR connector (with SSLv3 being disabled), the
health monitor fails to connect. Some troubleshooting with OpenSSL (0.9.8x)
indicated that I need to force a connection with "-tls1" in order for it to
connect (see my post at stackoverflow:
http://stackoverflow.com/questions/27410851/openssl-s-client-cant-connect-to-tomcat-7-via-apr/27414403#27414403
).

I'm assuming the issue is because SSLv2Hello is disabled with the APR
connector... is there any way to explicitly enable is, as I do in the NIO
connector?

Thank you!

-- 
*Tadeusz Sacilowski*
*Manager, Portal & Mobile Development*
Teachers College, Columbia University
sacilowski@tc.columbia.edu

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message