tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac
Date Thu, 15 Oct 2015 02:33:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aurélien,

On 10/14/15 5:59 PM, Aurélien Terrestris wrote:
> Still no solutions, I suppose..
> 
> Did you enable the SSLv2 Hello as suggested by Chris, and what's
> the result ? I tested a small client with Java 8, by adding 
> -Djdk.tls.client.protocols="SSLv2Hello,TLSv1.2" at the command
> line, and I get my SSLv2 Hello.

It looks like if you add SSLv2Hello to the list of protocols you'll
accept, you'll get an SSLv2Hello in there (abridged output):

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
...
main, WRITE: TLSv1.2 Handshake, length = 221
main, WRITE: SSLv2 client hello message, length = 140
main, READ: TLSv1.2 Handshake, length = 81
main, READ: TLSv1.2 Handshake, length = 2779
main, READ: TLSv1.2 Handshake, length = 589
main, READ: TLSv1.2 Handshake, length = 4
main, WRITE: TLSv1.2 Handshake, length = 70
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40

You just have to use a custom SSLSocketFactory that sets the protocols
you want to enable on the (client) socket. If one of the protocols you
use is "SSLv2Hello".

Oddly enough, when *not* specifying SSLv2Hello, you'll get this
(abridged output):

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
...
main, WRITE: TLSv1.2 Handshake, length = 221
main, READ: TLSv1.2 Handshake, length = 89
main, READ: TLSv1.2 Handshake, length = 2779
main, READ: TLSv1.2 Handshake, length = 589
main, READ: TLSv1.2 Handshake, length = 4
main, WRITE: TLSv1.2 Handshake, length = 70
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40

When the SSLv2Hello "protocol" isn't enabled, you don't get the "main,
WRITE" and "main, READ"

Note that I'm not trying anything with a client certificate, here. I
hope that helps somewhat.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWHxCIAAoJEBzwKT+lPKRYCNQQAMJx3cHj3Rl8ieX+2cANmXfW
fHr0MPkHNIcbzpX5WWJaEqfhnYqQTk9TiY7rKxwjo3OtJtEG1bkm9tqeq4pzHJcX
oQ03/wMOKrNqqGoILcpdWgRpc0jylsx1GouJ2qmmCNvZO1fBdBhtAE49dvg4Hd+c
uOzet5CizkTIfbu/i2Rb/szC9T/mopvicOsoS7oe1EE7sJZKL4BU3ayun5KvFXvr
0KbDRU0Btp3M0YcPP4R2MtExYROW9pwwb5UYJdmK8ZxHAsmhJsG8DzDQnywFEx3+
cm2e0W5v5FMAAh3PBNqfl5VN/8uIlHkeLtCjDU0JCMCfguwTQbitPpyhatnRlE7z
K8FfdZUC2zBprX1HnJl5aT02u3STzRsyL5DWlVAKPC/OAUEYFO26Ira1K86ACpww
O7t6phwHfXdGIkT/GdT9i2DgGippj6/mAhgq6XUsAkVr9usK33pNP8q/jf/ORwq/
Njf4d4vjRNw3W7UZ0w0NCgZ7dKdepC/x2sT6zugQugiLNQ+gHGQWfcOhrQsRsj8f
qHGU1E+94g5oQCqb14KWoZv8bAA2WYAqgUK3DK2icsiCEFqWd6Yb6gYcvIGsbV9t
g+Mtxfm5qjncCwHeyONd3uBWTjakZb7fIvk4di0pZcnZB7HFYx7/r0ndS+IRzUVS
LJxWiHhKQZ32QvVKtBxe
=zKZ4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message