tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Persson, Magnus (SE-TLX)" <magnus.pers...@assaabloy.com>
Subject Re: How do deal with 'sslv3 alert handshake failure'?
Date Wed, 28 Sep 2016 06:20:16 GMT
Hi Chris,

The java servlet (in webapps folder) was written by a consultant and I 
have only looked at parts of the source code and don't know all that it 
does.

The purpose is to give external integrators a way in to our software 
through a REST API.
We have made a reference client in python that connects, creates a 
session and can send POST, GET, DELETE, etc.

This sample client will get this 'hello' ssl error with tomcat versions 
greater than 7.0.68.
I have also tested a client in c++ that uses the POCO library. Same 
hello error.

Since we have only specified the TLSv1.x protocols in the tomcat config 
I assume the initial hello request is encapsulated in an SSL2 frame by 
one of the TLSv1.x protocols.
The purpose of adding TLSv2Hello was to allow this initial hello request.

If the problem is the java servlet I'd like to correct it to not 
encapsulate the hello request in an SSLv2/SSLv3 frame. Could this be the 
problem or is it in the calling client?

/Magnus

On 2016-09-27 23:07, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Magnus,
>
> On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
>> We started out with tomcat 7.0.35 and got that running with our
>> REST servlet.
>>
>> When we upgraded to tomcat 7.0.63 we got this error when we tried
>> to create a new session:
>>
>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
> This is an error message from OpenSSL. Is this the client that is
> choking, or the server?
>
>> Through Google we found out that we needed to add "SSLv2Hello" to
>> the enabled protocols so we changed our connector in server.xml
>> like this (only added SSLv2Hello):
>>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="${catalina.base}/conf/keystore" keystorePass="*"
>> clientAuth="false" sslProtocol="TLS"
>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
>> URIEncoding="UTF-8" />
>>
>> We upgraded to tomcat 7.0.68 and it works fine with above connector
>> in server.xml
> Do you absolutely need to accept SSLv2Hello-formatted handshakes? Most
> of the web has abandoned SSLv3 and below at this point, so SSLv2Hello
> should no longer be necessary.
>
>> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
>>   though we have SSLv2Hello in the enabled protocols:
>>
>> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>>
>> What do we need to change in the server.xml file to bypass the ssl3
>>   error this time?
> That depends upon where you are actually getting that error.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJX6t91AAoJEBzwKT+lPKRY43sP/ifrnLyy+DMjCYPcyLN3TnMQ
> Lym9MvabvQmBOeq7+513h9Bpo6qKrr2cAzRIeWT1fOmr+b+jULjnpwh+iFEHvn7B
> 2lhPUv0afrUyjtb8aCNqOvCCmC2qrv8mbHfQvZwVOaI6LXImu4w7Xdg9TumMx6uo
> qTNMcU58x9vEnvG56ufIVUBewQlb0HOXs7PzsPEFYNp0G3nQ6iIh5MCIByYUwKbz
> f/2I4t2mcHVCz1kKtQd1nLC3xen/fa2MhXpzBqOcdr3jAEs8LU3mqohqrou1vX3a
> iPKpo3pNfMRrq3PRm+agh/M4r88dFy46kaHUnFLKfqhXxqSv9uxdUMWU+7vf7jn1
> PWIs4WZmu0Ub+oIkHFkuHH0+BpwSIHtlRMrvnMZ6mgFOw9QTKltxE1eCtcKcBGN1
> eGIbH5rD2O1pIg8yKYpoyLkh/nEL6C+nXoX790sNu9bl2mr6YQzkkjx9D0o+CVzw
> fGs1s1+ALKRyJVXOubs8Ax/I6jIc9FzMYuWuHI+TGyysr4nxVViHi1abUdkXLhZ7
> eSwprviAlGsAsxMb5l4JjR09xCl0PoSqs8MZ4TIrczLnTTMGTd8NdlyI9I3sVUA+
> 4gsjp0BBqjCMb0cmpC/D8es127AbG4TrwHo5rdE/f172dCx2ib+P1ERqp2V0pRcb
> Xl8RIedkqiBvwpzihW2f
> =9GVJ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>   ----------------------------------------------------------------------------------------------
> This E-mail is PLAIN text, not support HTML, see instruction below on how to report SPAM.
> -----------------------------------------------------------------------------------------------
> To submit spam as an attachment to an email message using a mail client:
> 1. Open a new email message.
> 2. Drag the spam email from the Inbox into the new email message.
> 3. Enter asa@websense.com in the To field.
> 4. Click Send.
> -----------------------------------------------------------------------------------------------
Mime
View raw message