-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Diarmuid,
On 8/31/15 11:36 AM, dmccrthy wrote: > To cut a long story short openssl helped. Using openssl -connect > showed the error below. When I added the -tls1 flag the error went > away. > > 2104:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed > or bad record mac:.\ssl\s3_pkt.c:532: > > Configuring Tomcat with the JVM parameter below resolved the > issue. > > -Dhttps.protocols="TLSv1" Yep, you have to use a TLS handshake; the older SSL3 handshake won't wor k. Now... you *can* enable SSLv2Hello and then only support TLSv1+, but let's face it: SSL is dead and clients should get with the program. > This may limit our client Web application but I have very little > influence over the server-side application, so it'll have to do as > a solution for now. Your client should not try to use SSL handshake unless you know it's required. > So the issue seems to be a Java handshake error whereby it has a > problem downgrading from TLSv1.2 to TLSv1 during the handshake. I don't know enough about TLS to know if there is an appreciable difference between the handshake protocol between the two. I know that SSLv2 was the lowest common denominator for a while, and most servers would enable it *just for the handshake* but would refuse to actually negotiate an SSLv2 connection (SSLv2 was basically DOA). These days, nobody should be using SSL at all, but I might understand wanting to use SSL-compatible handshakes, so using "SSLv2Hello" but not supporting the SSLv3 protocol would be the way to do that. Again, we should just let SSL die. The more we push clients and servers to only negotiate TLS from here on out, the better off Internet security will be overall. > Why it works in our non-prod environment with the same versions of > everything is a mystery, but I can speculate at some difference in > underlying O/S settings, or perhaps a Java bug. Or more likely a configuration option you didn't detect when you checked everything out. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5IudAAoJEBzwKT+lPKRY+xsP/RBgD3VErGPgLZIOu6GDdUn9 4e/yH5kVAdiuOcnn26En+OJKGONK5c9Hf9gW23utPw2ruG1KYwSkr9dJ4yFIiKxh 1wYhq4oTN3j8DwNb8C2Y522eyH9hRYo+W8S7er0pvklcGiImgx+vp/LYitM2dHeG 6MEPJ03+/5CLbrmYfLbcZvnPydqKYVJtIqozHGhrC5+fAbcFFsWBcwrfk0Menwji wE4w7o5yi38/MtXX1b3FtMnvyjfiKHdPoKJ4PJv8KA3hKjWzEVLiehFGEQGb9VS6 uqgMLB5YR3QrI0yYN53soi4apgqktcfwGimK+B5Ar/2uvsarLvZgIF8uYuEHXTYY bn+V7ngmRxuwX71VUJDP47MtwQsgxko4H1qa2jIh7Pp8kRHeHwKytJxOLPUepmKp K1rmii+OtVPMQusXGVJedohXMwOCi3kUf9exmadnN02EgAPmIh/rfy7uBARfYJdC CqjiQxmTCm5yKu1uB9PXFbZMiCFjq+Hw3g6/cVnn1X5nxlfkPBCAODk5UouRrO+w oIErBEAbLSb7twWo8S6B9pupb/8C4RNvdhPk9pCfPf2cC+Ouybg4Sz/S4KSQ1N8P 0zfXVoDL4AJtl3k1ylXbfPVRE5SY+ZMqT4fC3odI1frWGI3oSnnXNQsqxr4ehmpo PUDzJVZbKxLMruMEbnSh =OrTI -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
