"I'm not sure how (or even if) you can have Java attempt to connect with SSLv3 and then re-try with TLS."
I think it is possible, have a look on JSSE Reference Guide for sun.security.ssl.allowUnsafeRenegotiation and sun.security.ssl.allowLegacyHelloMessages, they're explaining how to catch the SSLHandshakeException and launch one more startHandshake method. I admit I have not tried this, by the way.. "I don't believe Java 6 for example supports TLSv1.1 and TLSv1.2." It doesn't, as said in the JSSE Reference Guide (http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html) => " Provides API support for SSL versions 2.0 and 3.0, TLS 1.0 and later; and an implementation of SSL 3.0 and TLS 1.0" A.T. 2015-02-26 17:37 GMT+01:00 Christopher Schultz <ch...@christopherschultz.net>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Deepak, > > On 2/25/15 1:49 AM, dku...@ccilindia.co.in wrote: >>> Perhaps you disabled SSLv3 and a client is trying to connect >>> using SSLv3? >> >> We agree with your above statement. We have disabled SSLv3 on >> Tomcat server and our client is an exe which sends request using >> below code. > > (What's an "exe"?) > >> URL server = new URL(url); jprogress.setValue(11); final String >> hostvar = ip; HttpsURLConnection.setDefaultHostnameVerifier(new >> HostnameVerifier() { public boolean verify(String hostname, >> SSLSession session) { if (hostname.equals(hostvar)) { return true; >> } else { return false; } } }); > > Note that the above is roughly equivalent to the default hostname > verifier. Why are you bothering with that? > >> try{ HttpsURLConnection con = (HttpsURLConnection) >> server.openConnection(); jprogress.setValue(14); >> con.setConnectTimeout(90000000); > > That is a *very* long timeout. Why? > >> con.setDoOutput(true); con.setUseCaches(false); >> con.setReadTimeout(60000); > > That's a pretty long timeout, too. Who wants to wait 60 seconds for a > byte of data? > >> jprogress.setValue(16); >> >> We are unable to find at which point the client exe uses either TLS >> or SSLv3 to send request to the server. > > It will depend upon the URL being passed-into the URL constructor: > URL.openConnection will determine which protocol to use. > >> Also we find that client exe works fine in other machines. We want >> to know if this is system specific or java specific. > > This is a combination of the two. > > If you want to force the client to use a different protocol (e.g. > TLSv1 versus SSLv3), you need to tell HttpsURLConnection to use a > different socket factory. Something like this: > > String protocol = ...; // "SSL" or "TLS" > String[] sslEnabledProtocols = ...; // whatever specific protocols you > want to support, like SSLv3, SSLv2hello, TLSv1.1, etc. > String[] sslCipherSuites = ...; // Whatever SSL cipher suites you want > to support > > TrustManager[] tms = ...; // Whatever trust managers you want to use > Random random = new SecureRandom(); > SSLContext sc = SSLContext.getInstance(protocol); > > sc.init(null, tms, random); > > SSLSocketFactory sf = sc.getSocketFactory(); > > if(null != sslEnabledProtocols > || null != sslCipherSuites) > sf = new CustomSSLSocketFactory(sf, > sslEnabledProtocols, > sslCipherSuites); > > HttpsURLConnection.setDefaultSSLSocketFactory(sf); > > You'll also need this: > > public static class CustomSSLSocketFactory > extends javax.net.ssl.SSLSocketFactory > { > private final String[] _sslEnabledProtocols; > private final String[] _sslCipherSuites; > private final SSLSocketFactory _base; > > public CustomSSLSocketFactory(SSLSocketFactory base, > String[] sslEnabledProtocols, > String[] sslCipherSuites) > { > _base = base; > if(null == sslEnabledProtocols) > _sslEnabledProtocols = null; > else > _sslEnabledProtocols = sslEnabledProtocols.clone(); > if(null == sslCipherSuites || 0 == sslCipherSuites.length) > _sslCipherSuites = getDefaultCipherSuites(); > else if(1 == sslCipherSuites.length && > "ALL".equalsIgnoreCase(sslCipherSuites[0])) > _sslCipherSuites = getSupportedCipherSuites(); > else > _sslCipherSuites = sslCipherSuites.clone(); > } > > public String[] getDefaultCipherSuites() { > return _base.getDefaultCipherSuites(); > } > public String[] getSupportedCipherSuites() { > return _base.getSupportedCipherSuites(); > } > > private SSLSocket customize(Socket s) > { > SSLSocket socket = (SSLSocket)s; > > if(null != _sslEnabledProtocols) > socket.setEnabledProtocols(_sslEnabledProtocols); > > socket.setEnabledCipherSuites(_sslCipherSuites); > > return socket; > } > > @Override > public Socket createSocket(Socket s, > String host, > int port, > boolean autoClose) > throws IOException > { > return customize(_base.createSocket(s, host, port, > autoClose)); > } > @Override > public Socket createSocket(String host, int port) > throws IOException, UnknownHostException > { > return customize(_base.createSocket(host, port)); > } > @Override > public Socket createSocket(InetAddress host, int port) > throws IOException > { > return customize(_base.createSocket(host, port)); > } > @Override > public Socket createSocket(String host, int port, > InetAddress localHost, int localPort) > throws IOException, UnknownHostException > { > return customize(_base.createSocket(host, port, localHost, > localPort)); > } > @Override > public Socket createSocket(InetAddress address, int port, > InetAddress localAddress, int > localPort) > throws IOException > { > return customize(_base.createSocket(address, port, > localAddress, localPort)); > } > } > > I'm not sure how (or even if) you can have Java attempt to connect > with SSLv3 and then re-try with TLS. I would imagine that's built-into > the code. It would be foolish if it weren't available. > > But, it's possible that a handshake is not possible, especially if > there is an old version of Java being used by the client. I don't > believe Java 6 for example supports TLSv1.1 and TLSv1.2. So, if your > server is configured to only allow those protocols, you will never be > able to establish a handshake with a Java6-based client. > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJU70uuAAoJEBzwKT+lPKRYP/wP/Ras88Af6qTYNK5VsB4bcdet > vGjBr+fsbbD1HuG+VLSbX03xg7X5cW3JfZgjGOgevdjygmHS8LkyunFJnUe5x6xe > GK97Lz4O7RUR26HwJnNwtAwYDaccln7o8xTg2aOa/z4j/7DuXACCgHckpGvyh4aT > Yk016fQbGXRtK+fXKr0VvGRVkkL7OzIN83Kq2TtV7Je6aZE91s1PHchzNTtnnRvu > yfrWRZmtCUQg/nCJ990l86DePvn7ewWoYwbDJ5rrtOi1MtND6m10pHBmDr6TLHfD > R7h/bUFzDmoHF8YPVZR89K5G57mU9eIBB8WbgPXCnFNnZowUw+z+fg9DFXMyag5s > yUBu9u5feGgOeE7BM+X162d0605uWuKy/HsJ/T7FuOwjiGcS2350c8FSfkZ9qCH8 > Eb9gHqZydku/3N9Fub2oWSrAMMKFVBBfnUr1L63mI7VMN24A+k27tXmjzR7QERr5 > Hu8HatEy1qW3D3sKD0gOWkGlO2TA3CdKHns1Ci8Ueu2U7DnxU3fGnXkVm/MYWpOR > sPIZueio7pE0rPkXaMfY23K6qMGDMxJfBwDcZkACyfoxWSrfQ8UIRu+8Or5JWnHR > XfXGXq1D8K6Fx1gx0ZSJnuO4wDE7oC1X1Irupzq2aqIT9WpuQDzx+hSNwcJ+0sB4 > Cbqx+Oh1YcsJHlinv032 > =canw > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
