Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 046AA18071 for ; Tue, 13 Oct 2015 21:32:24 +0000 (UTC) Received: (qmail 75662 invoked by uid 500); 13 Oct 2015 21:25:03 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 75601 invoked by uid 500); 13 Oct 2015 21:25:03 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 75590 invoked by uid 99); 13 Oct 2015 21:25:03 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Oct 2015 21:25:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 92B031A2168 for ; Tue, 13 Oct 2015 21:25:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.001 X-Spam-Level: * X-Spam-Status: No, score=1.001 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id k97s3U9iOILT for ; Tue, 13 Oct 2015 21:24:53 +0000 (UTC) Received: from vms173017pub.verizon.net (vms173017pub.verizon.net [206.46.173.17]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 2AC51204D9 for ; Tue, 13 Oct 2015 21:24:53 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=utf-8 Received: from Christophers-MacBook-Pro.local ([71.127.40.115]) by vms173017.mailsrvcs.net (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014)) with ESMTPA id <0NW6005LYGT00C70@vms173017.mailsrvcs.net> for users@tomcat.apache.org; Tue, 13 Oct 2015 16:24:36 -0500 (CDT) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=J+9Xl1TS c=1 sm=1 tr=0 a=tVXBnewmVzifmTgg5+7jYA==:117 a=-57I09spAAAA:8 a=mV9VRH-2AAAA:8 a=oR5dmqMzAAAA:8 a=IkcTkHD0fZMA:10 a=5lJygRwiOn0A:10 a=yPCof4ZbAAAA:8 a=FP58Ms26AAAA:8 a=j4nzMFrpAAAA:8 a=FX5OWJRhMr6ErJGVV00A:9 a=QEXdDO2ut3YA:10 a=qh8BtrUG0gIA:10 Subject: Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac Reply-to: Tomcat Users List References: <55E48B9D.5040102@christopherschultz.net> <561D0A37.6080906@christopherschultz.net> <561D636E.7070805@christopherschultz.net> <561D72CD.1010608@christopherschultz.net> To: Tomcat Users List From: Christopher Schultz Message-id: <561D7694.5010305@christopherschultz.net> Date: Tue, 13 Oct 2015 17:24:36 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 In-reply-to: <561D72CD.1010608@christopherschultz.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All, On 10/13/15 5:08 PM, Christopher Schultz wrote: > George and Aurélien, > > On 10/13/15 5:06 PM, George Stanchev wrote: >> Try the dropbox location in my prev messages. It contains a >> sample echo server you can use to test. It is a Visual Studio >> 2013 project. In case you don’t have that, I've uploaded x64 >> executables under SSLServer_executbale.zip. It is pretty much >> self contained, it has the redist DLLs, the server cert, all... > >> It eliminates the need of IIS as it does the same thing - accept >> connection, read payload, upgrade to 2 way ssl... > >> It generates output like this [1] > >> The line " Decrypt error from SCHANNEL, Client ID: >> a1cefeb8-bad3-4903-8dbe-fdea347f666e" is emitted when bad record >> mac is caught on the server side... > > On 10/13/15 4:55 PM, Aurélien Terrestris wrote: >> "How do you force Java 8 to use SSLv2Hello?" > >> You can do this when writing your own Java client : calling the >> SSLSocketFactory to create an SSLSocket and configure with >> setEnabledProtocols ( > > https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocket.html #s > > etEnabledProtocols-java.lang.String:A- >> ) > >> If you have some IIS server on internet which reproduces the >> problem, I'll try with JTouch ( jtouch.sourceforge.net ) or write >> a small client. > > I've got a client already written. I'll post the latest code > somewhere. https://wiki.apache.org/tomcat/tools/SSLTest.java and https://wiki.apache.org/tomcat/tools/SSLUtils.java This tool only performs the SSL handshake, so it doesn't do anything at the HTTP level. It doesn't do client certificates; I'd be happy to see someone add that capability and update the code on the Wiki. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWHXaUAAoJEBzwKT+lPKRYTgcQAKdzEBtjLyCbkBBlJJObUxm0 dxAhLIFfBkcmo0IquMUJBnCHJ9hfuuhnXDvzLhvvAhfoiG8CkGfcjw79LwcL49iO +eAuz1bycFvfSoVW+ZEPIXl13n4v+t2hBYfGJJgcYefOBJBfIGLHTazmi53F9vfn zrnno6wRZkZ+JrFrzSlfMMvWnOE7Uv5ZDKw/8tv85ZTPuIIdIud8Uy0Z5J3HHgYx t5WBL3JaqLcUihIUUuibSfmw27iyfKPv6OusoVPKc9pKb+uWoLftyE4d4btVTFEV qDAdmW3XaA/1GHZ3n5szHND+EkdKkiiic7mHRgsN+4F/AH3KVoWs9+Qw9vOhO+da XgeehuKB1nfnNrhI1n4eEoYC+P162GxVqNKIsKFat38BGEZlCRaAt8UtsfhE0AvO 2gaF1k1vyYcCoXhNYF9WQLatnx1MXeAZMYw3oAZPOusDoqtGElCJfYc1K8iJayEl bBzYojkzLjFqPfJJ8tvCqBwkngNCw6MgyqVbYSMxDREQtZBa2xYGLHv9bWL0Kp+6 Q5Y3u4uks7OCGH+Usfvq82ZGnp6mnneA2jgAd0KWSJDjKcaNUWQVOirPVTFnpNmh +dUZUM/gR1CIQHoiu8i8NH9qn2jtBtDvnYRWswzJlt9tOpaxPQWwdBL86gj4cWHp aGwTUveYwOgLokoEUXHO =Iha7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org