tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Stanchev <Gstanc...@serena.com>
Subject RE: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac
Date Thu, 15 Oct 2015 17:24:15 GMT
Aurélien,

I added good_run.pcap and bad_run.pcap to that dropbox location [1]. 

I also think this needs to be looked at by MS engineers. I am following up on my support case
but really not getting anywhere...

George

[1] https://www.dropbox.com/sh/az1r3agxx4w8r7e/AACRGedBG3G5oh4-qE9652WNa?dl=0
-----Original Message-----
From: Aurélien Terrestris [mailto:aterrestris@gmail.com] 
Sent: Thursday, October 15, 2015 7:43 AM
To: Tomcat Users List
Subject: Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

George,

I'm not sure we can find any solution, but can we have a look at a pcap capture ?
Esmond Pitt was posting sometimes, that would be a challenge for him.

2015-10-15 4:33 GMT+02:00 Christopher Schultz <chris@christopherschultz.net>
:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Aurélien,
>
> On 10/14/15 5:59 PM, Aurélien Terrestris wrote:
> > Still no solutions, I suppose..
> >
> > Did you enable the SSLv2 Hello as suggested by Chris, and what's the 
> > result ? I tested a small client with Java 8, by adding 
> > -Djdk.tls.client.protocols="SSLv2Hello,TLSv1.2" at the command line, 
> > and I get my SSLv2 Hello.
>
> It looks like if you add SSLv2Hello to the list of protocols you'll 
> accept, you'll get an SSLv2Hello in there (abridged output):
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> ...
> main, WRITE: TLSv1.2 Handshake, length = 221 main, WRITE: SSLv2 client 
> hello message, length = 140 main, READ: TLSv1.2 Handshake, length = 81 
> main, READ: TLSv1.2 Handshake, length = 2779 main, READ: TLSv1.2 
> Handshake, length = 589 main, READ: TLSv1.2 Handshake, length = 4 
> main, WRITE: TLSv1.2 Handshake, length = 70 main, WRITE: TLSv1.2 
> Change Cipher Spec, length = 1 main, WRITE: TLSv1.2 Handshake, length 
> = 40 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: 
> TLSv1.2 Handshake, length = 40
>
> You just have to use a custom SSLSocketFactory that sets the protocols 
> you want to enable on the (client) socket. If one of the protocols you 
> use is "SSLv2Hello".
>
> Oddly enough, when *not* specifying SSLv2Hello, you'll get this 
> (abridged output):
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> ...
> main, WRITE: TLSv1.2 Handshake, length = 221 main, READ: TLSv1.2 
> Handshake, length = 89 main, READ: TLSv1.2 Handshake, length = 2779 
> main, READ: TLSv1.2 Handshake, length = 589 main, READ: TLSv1.2 
> Handshake, length = 4 main, WRITE: TLSv1.2 Handshake, length = 70 
> main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 main, WRITE: 
> TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change Cipher Spec, 
> length = 1 main, READ: TLSv1.2 Handshake, length = 40
>
> When the SSLv2Hello "protocol" isn't enabled, you don't get the "main, 
> WRITE" and "main, READ"
>
> Note that I'm not trying anything with a client certificate, here. I 
> hope that helps somewhat.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJWHxCIAAoJEBzwKT+lPKRYCNQQAMJx3cHj3Rl8ieX+2cANmXfW
> fHr0MPkHNIcbzpX5WWJaEqfhnYqQTk9TiY7rKxwjo3OtJtEG1bkm9tqeq4pzHJcX
> oQ03/wMOKrNqqGoILcpdWgRpc0jylsx1GouJ2qmmCNvZO1fBdBhtAE49dvg4Hd+c
> uOzet5CizkTIfbu/i2Rb/szC9T/mopvicOsoS7oe1EE7sJZKL4BU3ayun5KvFXvr
> 0KbDRU0Btp3M0YcPP4R2MtExYROW9pwwb5UYJdmK8ZxHAsmhJsG8DzDQnywFEx3+
> cm2e0W5v5FMAAh3PBNqfl5VN/8uIlHkeLtCjDU0JCMCfguwTQbitPpyhatnRlE7z
> K8FfdZUC2zBprX1HnJl5aT02u3STzRsyL5DWlVAKPC/OAUEYFO26Ira1K86ACpww
> O7t6phwHfXdGIkT/GdT9i2DgGippj6/mAhgq6XUsAkVr9usK33pNP8q/jf/ORwq/
> Njf4d4vjRNw3W7UZ0w0NCgZ7dKdepC/x2sT6zugQugiLNQ+gHGQWfcOhrQsRsj8f
> qHGU1E+94g5oQCqb14KWoZv8bAA2WYAqgUK3DK2icsiCEFqWd6Yb6gYcvIGsbV9t
> g+Mtxfm5qjncCwHeyONd3uBWTjakZb7fIvk4di0pZcnZB7HFYx7/r0ndS+IRzUVS
> LJxWiHhKQZ32QvVKtBxe
> =zKZ4
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Mime
View raw message