tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Problem with SSH in latest Tomcat
Date Tue, 09 Apr 2019 23:26:35 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Richard,

On 4/9/19 17:48, Richard Huntrods wrote:
> I would like to 'do what's necessary' to remove the following
> error. Google tells me it's related to my security implementation,
> which is HTTPS by default. I am convinced the problem is in how I
> invoke the port 443 connector in my server.xml. I've been running
> this servlet on versions of Tomcat since 2001, and have kept my
> Tomcat instances up to date. Most recently I started noticing this
> in the logs, and am pretty sure it's because I've been copying the
> connector code bit from server.xml to server.xml as I upgraded
> versions of Tomcat.

With a few exceptions, the <Connector /> configuration hasn't changed
a lot since then. The TLS configuration changed recently to be more
expressive and allow for more complex configurations, but the old
syntax should still work in many cases.

> I really suspect my connector is now out-of-date and could use
> some guidance as to the best new form. I see in the recent
> server.xml they use a different invocation, but don't know if this
> is best...
> 
> OS: Ubuntu 18.04 LTS Live server Tomcat: 8.5.39, installed from
> tar.gz obtained from Tomcat.

What is the Java version?

> I've done this enough times to "get it right", so it's just this
> Hello error I want to eradicate...

:)

> Here is the error message:
> 
> 08-Apr-2019 01:00:23.477 SEVERE [https-jsse-nio-443-exec-9] 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun 
> java.lang.UnsupportedOperationException: Unsupported SSL v2.0
> ClientHello at 
> java.base/sun.security.ssl.SSLEngineInputRecord.handleUnknownRecord(SS
LEngineInputRecord.java:373)
>
>  at 
> java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputR
ecord.java:195)
>
>  at 
> java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java
:975)
>
> 
at
> java.base/sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.j
ava:902)
>
>  at 
> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:680
)
>
> 
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioC
hannel.java:475)
>
>  at 
> org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel
.java:238)
>
>  at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
nt.java:1475)
>
>  at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
.java:49)
>
>  at 
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
Executor.java:1135)
>
>  at 
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
lExecutor.java:635)
>
>  at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
ead.java:61)
>
>  at java.base/java.lang.Thread.run(Thread.java:844)
> 
> My certificates are new and correct, and have run fine in past
> versions of Tomcat without problems...
> 
> THIS IS MY SERVER.XML - Most of it is identical to the server.xml 
> supplied with Tomcat 8.5.39 My changes are after the *** THIS IS
> MY CONNECTOR ... *** comment.
> 
> [snip]
> 
> <!-- *** THIS IS MY CONNECTOR FOR PORT 443: COPIED FROM PAST
> TOMCAT VERSIONS *** --> <Connector port="443" protocol="HTTP/1.1"
> SSLEnabled="true" maxThreads="150" enableLookups="false"
> scheme="https" secure="true" keystoreFile="./keys/.keystore"
> keystorePass="password" clientAuth="false" sslProtocol="TLS" />

You should really read the new TLS configuration guide[1] and use
<Connector> with a nested <SSLHostConfig> element.

But there isn't anything in there that looks to be a problem to me.

My guess is that you are using a very new Java which has dropped
support the the SSLv2Hello psuedo-protocol. That's not actually an
encryption protocol, but instead is a handshake protocol which allows
some versions of TLS to be negotiated using an old-style SSHv2 "hello"
handshake.

If that's the problem then:

1. You shouldn't be able to start Tomcat or in fact make any
connections. Or maybe it's just a warning that it's not supported and
Java will throw the error and the client will re-connect using TLS
like any modern system should.

2. You should be able to fix it by either specifying:

  <Connector ... sslEnabledProtocols="TLSv1.2" (and others if you want)

  or

  <Connector ...
    <SSLHostConfig protocols="TLSv1.2" (and others if you want)
  </Connector>

Hope that helps,
- -chris

[1] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlytKisACgkQHPApP6U8
pFjHKQ//VLcYjW68DB8UO4GI+pW850aXDqEsMBsT4PsjYW+y9JY3Sl2oHghOfy3J
g1Qdi+CHPZfRnne5dNZt7Wh4jTnVyx6KLHu449pgijAAZ6t3sL3KEXzxfNd0n1MN
vcbjNjkBGWd4AQPUE5QK8vir2jgTpwUjj0/mbB+MVNrQIkBV6vAvzkF32J7N/fwc
yyarOlD0tR9K2xHWcCqNlNGhxxYqO2QmsTqbJGlthsco/RJ6YBpXC6Re4xqOj1pv
iERSQEKL/cuAmPqJel8LMHqthH9d/W/2RXGX1eAgn1CLXF1xnkiGtrKBHBWTpF4g
H0+4EpPm+VgLNzlnESzsGItiUt3v7+dlpyAVnNKH3yT8064J/MdbQ0iYMgk6KpVl
PrETBnVF8Sxc7TiE5AzuA8d4UGVP/v153ydljItRcwMJe+qD8qNWgUev9IL6gwGV
d2Xej5kc4GDBxyvdQWS13UqqGrsE//JG9UsZ+XfRL9LLgrFIlPQsdRWfWtFdUb1Z
oiaVDk+9Yf0hhmo6lZy24FcMwbb/gNcVITYNUy3nK1g1v8saJx0AQOM9p9Yb8NaY
+Pei36BSe8bqrrxhHe2yclWrio4mVP2pydLyBF+re1PHZXbYsZuf5tZn+HBZJRx9
3U8CJiOz6ZNhn1OYYA6H+po3IC6z8KXcxBBT1KdX6Q9kpfGa9Zs=
=qSRp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message