[OT] Tomcat upgrade 7.0.35 -> 7.0.37, SSL/TLS handshake failure

Wed, 20 Feb 2013 15:19:52 -0800 

Hi,
I just wanted to report a problem with JSSE TLS/SSL handshake that became obvious only after I upgraded Tomcat from 7.0.35 to 7.0.37. 

Server: Tomcat 7.0.37, BIO Connector, Oracle JDK 1.7.0_xx (e.g. _09)
Client: Java TLS/SSL client, e.g. [1], Oracle JDK 1.6.0_xx (e.g. _35)

Exception is:


  javax.net.ssl.SSLHandshakeException: Received fatal alert: 
handshake_failure


Full stack trace is available at the end of the message.


The reason for this seems to be removal of SSLv2Hello pseudo protocol 
from list of active protocols in Java 7 [2]. Therefore, Java 6 (client) 
will try to connect using SSLv2Hello, but the server won't be able to 
respond, as the Oracle documents partly describe [3]:



  "If SSLv2Hello is disabled on the server, then all incoming messages 
must conform to the SSLv3/TLSv1 client hello format."


The solution for the problem is either:


  (1) Disable SSLv2Hello on Java 6 client (e.g. 
-Dhttps.protocols="TLSv1,SSLv3") or
  (2) Enable SSLv2Hello on Java 7 server (e.g. add 
sslEnabledProtocols="TLSv1,SSLv3,SSLv2Hello" to JSSE connector 
configuration in server.xml).


(Not both!)


Now, I don't think it has anything to do with Tomcat, but I believe that 
other people who upgrade to 7.0.37 may stumble upon the same issue, if 
they use Oracle JDK 7 on the server and Oracle JDK 6 on the Java client. 
There is useful post on Stackoverflow [4].



Why is TLS/SSL handshake successful with Tomcat 7.0.35, and not with 
7.0.37? I don't know. Maybe it is related to bug 54406 [5].


-Ognjen



[1] http://www.mkyong.com/java/java-https-client-httpsurlconnection-example/

[2] 
http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html
[3] 
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames
[4] 
http://stackoverflow.com/questions/2159586/jsse-handshake-failure-on-public-https-web-site

[5] https://issues.apache.org/bugzilla/show_bug.cgi?id=54406

Full stack trace

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: 
handshake_failure

        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)

	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
	at 
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)

        at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

	at 
org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191)
	at 
org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:94)

        ... 20 more

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org















    











					Reply via email to