Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 908D017D8B for ; Thu, 15 Oct 2015 13:44:22 +0000 (UTC) Received: (qmail 22538 invoked by uid 500); 15 Oct 2015 13:44:22 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 22445 invoked by uid 500); 15 Oct 2015 13:44:21 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 22414 invoked by uid 99); 15 Oct 2015 13:44:21 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Oct 2015 13:44:21 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 6E05BC084E for ; Thu, 15 Oct 2015 13:44:21 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.901 X-Spam-Level: ** X-Spam-Status: No, score=2.901 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=3, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id lULCvgvZ7672 for ; Thu, 15 Oct 2015 13:44:08 +0000 (UTC) Received: from mail-vk0-f42.google.com (mail-vk0-f42.google.com [209.85.213.42]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id A983C23038 for ; Thu, 15 Oct 2015 13:43:27 +0000 (UTC) Received: by vkat63 with SMTP id t63so49237429vka.1 for ; Thu, 15 Oct 2015 06:43:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=9p4czhMg3kuQIW2mGFk/myZNpyWHxtaWhuDPkIR9Las=; b=oLGERjrm8XzGmX7yKMYfR2uavKJJoUF+Bh7JGvh7WE7Es4Uo1yQ41u6iZ36PU53hV5 6/3KZBaK3BNij/NtisszRWV9CmeaIDgM8F74Cx09/P6aApkwcq7ClN+1vaRDgvwpdLQ5 YhO2AnIBVeoAzRO0Oa8NfbjaGqiqqKBuE4dIim7H7Ul1m2HhTgozcHMvlJcLVXkTa5ZR JGd9nBOnh9dZIw9AvcaUG4/YYGunwV7lgogoW0AUEIG3W2jxYef5/DtKZpy2c2vFc8j+ 7ju1S3cONT2XpqphkBjyGUzl1ThcAcWLzm2hklhZX5fwnSfR5309gghJm3VTAj/EopV/ Mecg== MIME-Version: 1.0 X-Received: by 10.31.149.86 with SMTP id x83mr5451772vkd.104.1444916606845; Thu, 15 Oct 2015 06:43:26 -0700 (PDT) Received: by 10.103.78.92 with HTTP; Thu, 15 Oct 2015 06:43:26 -0700 (PDT) In-Reply-To: <561F1088.6060205@christopherschultz.net> References: <561D636E.7070805@christopherschultz.net> <561F1088.6060205@christopherschultz.net> Date: Thu, 15 Oct 2015 15:43:26 +0200 Message-ID: Subject: Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac From: =?UTF-8?Q?Aur=C3=A9lien_Terrestris?= To: Tomcat Users List Content-Type: multipart/alternative; boundary=001a113d329e14cc00052224dd91 --001a113d329e14cc00052224dd91 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable George, I'm not sure we can find any solution, but can we have a look at a pcap capture ? Esmond Pitt was posting sometimes, that would be a challenge for him. 2015-10-15 4:33 GMT+02:00 Christopher Schultz : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Aur=C3=A9lien, > > On 10/14/15 5:59 PM, Aur=C3=A9lien Terrestris wrote: > > Still no solutions, I suppose.. > > > > Did you enable the SSLv2 Hello as suggested by Chris, and what's > > the result ? I tested a small client with Java 8, by adding > > -Djdk.tls.client.protocols=3D"SSLv2Hello,TLSv1.2" at the command > > line, and I get my SSLv2 Hello. > > It looks like if you add SSLv2Hello to the list of protocols you'll > accept, you'll get an SSLv2Hello in there (abridged output): > > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > ... > main, WRITE: TLSv1.2 Handshake, length =3D 221 > main, WRITE: SSLv2 client hello message, length =3D 140 > main, READ: TLSv1.2 Handshake, length =3D 81 > main, READ: TLSv1.2 Handshake, length =3D 2779 > main, READ: TLSv1.2 Handshake, length =3D 589 > main, READ: TLSv1.2 Handshake, length =3D 4 > main, WRITE: TLSv1.2 Handshake, length =3D 70 > main, WRITE: TLSv1.2 Change Cipher Spec, length =3D 1 > main, WRITE: TLSv1.2 Handshake, length =3D 40 > main, READ: TLSv1.2 Change Cipher Spec, length =3D 1 > main, READ: TLSv1.2 Handshake, length =3D 40 > > You just have to use a custom SSLSocketFactory that sets the protocols > you want to enable on the (client) socket. If one of the protocols you > use is "SSLv2Hello". > > Oddly enough, when *not* specifying SSLv2Hello, you'll get this > (abridged output): > > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > ... > main, WRITE: TLSv1.2 Handshake, length =3D 221 > main, READ: TLSv1.2 Handshake, length =3D 89 > main, READ: TLSv1.2 Handshake, length =3D 2779 > main, READ: TLSv1.2 Handshake, length =3D 589 > main, READ: TLSv1.2 Handshake, length =3D 4 > main, WRITE: TLSv1.2 Handshake, length =3D 70 > main, WRITE: TLSv1.2 Change Cipher Spec, length =3D 1 > main, WRITE: TLSv1.2 Handshake, length =3D 40 > main, READ: TLSv1.2 Change Cipher Spec, length =3D 1 > main, READ: TLSv1.2 Handshake, length =3D 40 > > When the SSLv2Hello "protocol" isn't enabled, you don't get the "main, > WRITE" and "main, READ" > > Note that I'm not trying anything with a client certificate, here. I > hope that helps somewhat. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJWHxCIAAoJEBzwKT+lPKRYCNQQAMJx3cHj3Rl8ieX+2cANmXfW > fHr0MPkHNIcbzpX5WWJaEqfhnYqQTk9TiY7rKxwjo3OtJtEG1bkm9tqeq4pzHJcX > oQ03/wMOKrNqqGoILcpdWgRpc0jylsx1GouJ2qmmCNvZO1fBdBhtAE49dvg4Hd+c > uOzet5CizkTIfbu/i2Rb/szC9T/mopvicOsoS7oe1EE7sJZKL4BU3ayun5KvFXvr > 0KbDRU0Btp3M0YcPP4R2MtExYROW9pwwb5UYJdmK8ZxHAsmhJsG8DzDQnywFEx3+ > cm2e0W5v5FMAAh3PBNqfl5VN/8uIlHkeLtCjDU0JCMCfguwTQbitPpyhatnRlE7z > K8FfdZUC2zBprX1HnJl5aT02u3STzRsyL5DWlVAKPC/OAUEYFO26Ira1K86ACpww > O7t6phwHfXdGIkT/GdT9i2DgGippj6/mAhgq6XUsAkVr9usK33pNP8q/jf/ORwq/ > Njf4d4vjRNw3W7UZ0w0NCgZ7dKdepC/x2sT6zugQugiLNQ+gHGQWfcOhrQsRsj8f > qHGU1E+94g5oQCqb14KWoZv8bAA2WYAqgUK3DK2icsiCEFqWd6Yb6gYcvIGsbV9t > g+Mtxfm5qjncCwHeyONd3uBWTjakZb7fIvk4di0pZcnZB7HFYx7/r0ndS+IRzUVS > LJxWiHhKQZ32QvVKtBxe > =3DzKZ4 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --001a113d329e14cc00052224dd91--