-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Magnus,
On 9/27/16 10:29 AM, Persson, Magnus (SE-TLX) wrote:
> We started out with tomcat 7.0.35 and got that running with our
> REST servlet.
>
> When we upgraded to tomcat 7.0.63 we got this error when we tried
> to create a new session:
>
> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
This is an error message from OpenSSL. Is this the client that is
choking, or the server?
> Through Google we found out that we needed to add "SSLv2Hello" to
> the enabled protocols so we changed our connector in server.xml
> like this (only added SSLv2Hello):
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="${catalina.base}/conf/keystore" keystorePass="*"
> clientAuth="false" sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
> URIEncoding="UTF-8" />
>
> We upgraded to tomcat 7.0.68 and it works fine with above connector
> in server.xml
Do you absolutely need to accept SSLv2Hello-formatted handshakes? Most
of the web has abandoned SSLv3 and below at this point, so SSLv2Hello
should no longer be necessary.
> When we upgraded to tomcat 7.0.70 we got the sslv3 error again even
> though we have SSLv2Hello in the enabled protocols:
>
> { "message": "[Errno 1] _ssl.c:507: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" }
>
> What do we need to change in the server.xml file to bypass the ssl3
> error this time?
That depends upon where you are actually getting that error.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJX6t91AAoJEBzwKT+lPKRY43sP/ifrnLyy+DMjCYPcyLN3TnMQ
Lym9MvabvQmBOeq7+513h9Bpo6qKrr2cAzRIeWT1fOmr+b+jULjnpwh+iFEHvn7B
2lhPUv0afrUyjtb8aCNqOvCCmC2qrv8mbHfQvZwVOaI6LXImu4w7Xdg9TumMx6uo
qTNMcU58x9vEnvG56ufIVUBewQlb0HOXs7PzsPEFYNp0G3nQ6iIh5MCIByYUwKbz
f/2I4t2mcHVCz1kKtQd1nLC3xen/fa2MhXpzBqOcdr3jAEs8LU3mqohqrou1vX3a
iPKpo3pNfMRrq3PRm+agh/M4r88dFy46kaHUnFLKfqhXxqSv9uxdUMWU+7vf7jn1
PWIs4WZmu0Ub+oIkHFkuHH0+BpwSIHtlRMrvnMZ6mgFOw9QTKltxE1eCtcKcBGN1
eGIbH5rD2O1pIg8yKYpoyLkh/nEL6C+nXoX790sNu9bl2mr6YQzkkjx9D0o+CVzw
fGs1s1+ALKRyJVXOubs8Ax/I6jIc9FzMYuWuHI+TGyysr4nxVViHi1abUdkXLhZ7
eSwprviAlGsAsxMb5l4JjR09xCl0PoSqs8MZ4TIrczLnTTMGTd8NdlyI9I3sVUA+
4gsjp0BBqjCMb0cmpC/D8es127AbG4TrwHo5rdE/f172dCx2ib+P1ERqp2V0pRcb
Xl8RIedkqiBvwpzihW2f
=9GVJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
